CMB is incorporated in the People's Republic of China with its registered office located at China Merchants Bank Tower, No. 7088 Shennan Boulevard, Futian District, Guangdong, Shenzhen, China.

CMB is also registered in England and Wales under Company No. FC028950 with its UK establishment No. BR013933 and its London Branch is located at 18/F, 20 Fenchurch Street, London, EC3M 3BY.

CMB is authorised and regulated by the National Financial Regulatory Administration of the People’s Republic of China. It is also authorised by the Prudential Regulation Authority and subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.

Please contact the Branch’s appointed Data Protection Officer (DPO) about any of the subjects contained in this Privacy Notice. The Branch’s appointed Data Protection Officer (DPO) can be contacted through:

Mail address:

Data Protection Officer

China Merchants Bank London Branch

18/F, 20 Fenchurch Street

London

EC3M 3BY

Email: dpo@uk.cmbchina.com

Phone: 020 3824 890 4 (Calls may be monitored or recorded.)

If you are resident in the P.R China, you could also contact the Legal and Compliance Department, China Merchants Bank Co., Ltd at China Merchants Bank Tower, No. 7088 Shennan Boulevard, Futian District, Guangdong, Shenzhen, China by email at: zongheshi_flb@cmbchina.com.

In addition to the Privacy Notice we have given here, your privacy is protected by law. This part explains the legal reasons CMB relies upon for each of the ways CMB may use the personal information that has been collected.

Data protection law states that CMB is only allowed to use personal information if CMB has a proper reason to do so, including when the data is shared outside of CMB. Proper reason means that CMB must rely upon one or more of the following reasons:

• In order to fulfil a contract CMB has with you;
• When it is our legal duty;
• When it is in our legitimate interest;
• When you consent to it;
• For reasons of substantial public interest; or
• To establish, exercise or defend legal claims.

‘Legitimate interest’ means that CMB has a business or commercial reason of its own to use your information. For example, CMB will process personal data provided by you to pursue our legitimate business interests including to prevent fraud, for anti-money laundering administrative purposes or reporting potential crimes. However, if CMB is going to rely on ‘legitimate interest’ as the reason for using your data we will tell you what that interest is. However, even under these circumstances our interest must not unfairly go against your interests.

The law and other regulations treat some types of sensitive personal information as special. This includes information about racial or ethnic origin, sexual orientation, religious beliefs, trade union membership, health data, and criminal records. CMB will not collect or use these types of data without your consent unless the law allows us to do so. If we do, it will only be when it is necessary.

The following table lists the ways that CMB may use personal information and which of the above reasons CMB will rely on when it does so. The table is also where we tell you what CMB’s legitimate interests are.

CMB uses your personal information for	CMB’s reasons for collecting, holding and using your data		CMB’s legitimate interests include
Serving you as a customer
·  Managing our relationship with you or your business; ·  Developing and carrying out marketing activities; ·  Studying how you use products and services provided by us and other organisations; ·  Communicating with you about our products and services; ·  Behaviour and personality analysis- meeting with you as a potential or existing customer to gather information to make a more suitable and personal relationship.	·  Your consent; ·  Fulfilling contracts; ·  Our legitimate interests; ·  Our legal duty.		·  Ensuring our records are up to date, working out which of our products and services may interest you and telling you about them; ·  Developing products and services and what we will charge for them; ·  Identifying & defining types of customers for new products or services; ·  Seeking your consent when we need it to contact you; ·  Being efficient about how we fulfil our legal and contractual duties.
Business improvement
·  Testing new products; ·  Managing how we work with other companies that provide services to us and our customers; ·  Developing new ways to meet our customers' needs and to develop our business.	·  Fulfilling contracts; ·  Our legitimate interests; ·  Our legal duty.		·  Developing products and services and what we will charge for them; ·  Identifying & defining types of customers for new products or services; ·  Being efficient about how we fulfil our legal and contractual duties.
Managing our operations
·  Delivering our products and services; ·  Making and managing customer payments; ·  Managing fees, charges and interest due on customer accounts; ·  The collection and recovery of money that is owed to us; ·  Managing and providing treasury and investment products and services.	·  Fulfilling contracts; ·  Our legitimate interests; ·  Our legal duty.		·  Being efficient about how we fulfil our legal and contractual duties; ·  Complying with rules and guidance from regulators.
Managing security, risk and crime prevention
·  Detecting, investigating, reporting, and seeking to prevent financial crime; ·  Managing risk for us and our customers; ·  Carrying out customer identity verification checks; ·  Obeying laws and regulations that apply to us; ·  Responding to complaints and seeking to resolve them.	·  Fulfilling contracts; ·  Our legitimate interests; ·  Our legal duty.		·  Developing and improving how we deal with financial crime, as well as complying with our legal duties in this respect; ·  Complying with rules and guidance from regulators; ·  Being efficient about how we fulfil our legal and contractual duties. ·  Detecting and preventing fraud, including any unauthorised access to customer accounts (e.g. when accessing accounts online or via our banking App).
Business management
·  Running our business in an efficient and proper way, including managing our financial position, business capability, planning, adding and testing systems and processes, managing communications, corporate governance and audit; ·  The exercising of our rights set out in agreements or contracts.	·  Our legitimate interests ·  Our legal duty; ·  Fulfilling contracts.		·  Complying with rules and guidance from regulators; ·  Being efficient about how we fulfil our legal and contractual duties.
Event organising and gifting
·  Hosting social events for potential customers or existing customers advertised via WeChat or WhatsApp; ·  Customer data is shared with third parties to arrange gifts and logistics.	·  Your consent; consent is required to authorise the transfer of customer data attending events to third parties organising the social events for gifting purposes.		·  Seeking your consent when we need it to contact you and advertise our social events.
For processing special categories of personal data
·  Substantial public interest		·  Using criminal records data to help prevent, detect, and prosecute unlawful acts and fraudulent behaviour; ·  Using criminal and health information as needed to provide insurance products.
·  Responding to regulatory requirements		·  Showing whether we have properly assessed your situation; ·  Passing information to the appropriate regulator as required to allow investigation into whether we have acted properly.
·  Legal claims		·  Using any special categories of data as required to establish, exercise or defend legal claims.
·  Consent		·  Telling you that we need your consent to process special categories of personal data, when that is what we rely on for doing so.

CMB may use a number of different kinds of personal information. In the following table these are grouped together and categorised in order for you to see what CMB may know about you. For example, CMB may obtain the data from seeing where you buy things. CMB does not use all this data in the same way although some of it is useful for marketing or for providing services to you. However, some of it is private and sensitive and CMB will treat it that way.

Type of personal information	Description
Contact Data	Your name, Address, telephone numbers and how to contact you.
Financial Data	Your financial position, status and history.
Socio-demographic Data	This includes details about your work or profession, nationality, education, source of wealth and where you fit into general social or income groupings.
Transactional Data	Details about payments into and out from your accounts with us and insurance claims you may make.
Contractual Data	Details about the products or services CMB provide you with.
Location Data	Data obtained about where you are. This may come from your mobile phone or the place where you connect a computer to the internet.
CCTV Data	There are CCTV cameras operating in the branch’s building for security and to safeguard the Branch premises.
Behavioural Data	Details about how you use products and services from us and other organisations. In some instances, CMB customers are gifted items from their partners, which involves data sharing in order to provide such a gift.
Technical Data	Details on the devices and technology you use. For example, if you use our banking App, we will collect data such as device model, device manufacturer, operating system, unique device identifier and device name.
Network Data	Internet Protocol (IP) address including mode, type and status of access to the network and network quality data.
Communications Data	What we learn about you from letters and emails you write to us and conversations between us.
Social Relationships Data	Your family, friends and other relationships.
Open & Public Records Data	Details concerning you that are in public records, for example, the Electoral Register and information about you that is openly available on the internet.
Usage Data	Other data about how you use our products and services, including via our banking App (e.g. operation logs and service logs).
Documentary Data	Details concerning you that are stored in documents in various formats or copies of them. For example, your ID card, passport, driving licence or birth certificate.
Special Data Types	The law and other regulations treat certain types of personal information as special. CMB will only collect and use these types of data if the law allows us to do so: ·  Racial or ethnic origin; ·  Religious, political or philosophical beliefs; ·  Trade union membership; ·  Genetic and bio-metric data, including facial image of staff; ·  Health data; ·  Lifestyle information, including data related to sex life or sexual orientation; ·  Criminal records of convictions and offences; ·  Allegations of criminal offences.
Consent Data	Any permissions, consents or preferences that you give us. This includes things like how you want us to contact you, whether you get paper statements, or prefer large-print formats and consent to invite you to social events.
National Identifier Data	A number or code given to you by a government to identify who you are, such as a National Insurance number or social security number, or Tax Identification Number (TIN)

CMB may collect personal information about you (or your business) from any of these sources:

• Data you provide us with;
• When you apply for our products and services
• When you talk to us on the phone or in a branch, including recorded calls and notes we make;
• When you use our websites or mobile device apps;
• In emails, WeChat and letters;
• In insurance claims or other documents;
• In financial reviews and interviews;
• In customer surveys;
• If you take part in our competitions or promotions.
• Data we collect when you use our services;
• This includes details about how and where you access our services and the account activity that is shown on your statement including:
• Transaction & payment data; including the amount, frequency, type, location, origin and recipients. If you borrow money, it also includes details of repayments and whether they are made on time and in full.
• Profile and usage data; including the security details you create and use to connect to our services including your settings and marketing choices. CMB also gathers data from the devices you use to connect to our digital banking services including via our banking App (e.g. Technical Data, Network Data and Usage Data for the purposes of identity verification and preventing unauthorised access including fraud prevention). CMB also use cookies and other internet tracking software to collect data while you are using our digital services. More information about this is available in our cookies policy.
• Data from outside organisations;
• Companies that introduce you to us;
• Financial advisers;
• Credit card providers;
• Credit reference agencies;
• Insurers;
• Retailers;
• Social networks;
• Fraud prevention agencies;
• Other financial services companies;
• Employers;
• Payroll service providers;
• Land agents;
• Public information sources such as the Electoral Register or Companies House;
• Agents, suppliers, sub-contractors and advisers;
• Market researchers;
• Government and law enforcement agencies.

CMB will keep your personal information for as long as you are a customer and may keep your data for up to 10 years after you stop being a customer. The reasons we may do this are:

• To respond to a question or complaint or to show whether we treated you fairly;
• To study customer data as part of our own internal research;
• To obey rules that apply to us about keeping records.

CMB may also keep your data for longer than 10 years if it cannot be deleted for legal, regulatory or technical reasons. As an example, in cases of subsidence (Subsidence is when a building becomes unsafe or damaged by ground sinking around it).

CMB will keep insurance claims data for up to 15 years after you stop being a customer.

CMB will only use your personal information for those purposes and will make sure that your privacy is protected.

Once CMB no longer need to retain your data, we will either: permanently delete or destroy the relevant data; archive your data so that it is beyond use; or anonymise the relevant data.

You can choose not to provide us with personal information but this will have implications.

CMB may need to collect personal information by law to enter into or fulfil a contract CMB has with you.

If you choose not to provide us this personal information it may delay or prevent us from fulfilling our contract with you or complying with our legal or regulatory obligations. It may also mean that we cannot maintain your accounts and also mean that we must cancel a product or service you have with us.

CMB may sometimes ask for information that is useful but not required by law or a contract. We will make this clear when we ask for it. You do not have to give us these extra details and it won't affect the products or services you have with us.

Cookies are small computer files that get sent down to your PC, tablet or mobile phone by websites when you visit them. They stay on your device and get sent back to the website they came from, when you go there again. Cookies store information about your visits to that website, such as your choices and other details. Some of this data does not contain personal details about you or your business but it is still protected by this Privacy Notice.

To find out more about how CMB uses cookies, please refer to our Cookie Policy.

You have several rights around use of your personal information. Following is a list of these rights, including a description and, if applicable, how to contact us about them. These rights do not apply in all scenarios.

The right to be informed

You have the right to be informed about the collection and use of your personal information. This means that we should provide you with details of how we use your personal information. This Data Privacy Notice is an example of this.

The right of access

You have the right to access a copy of all your personal information CMB holds about you, referred to as a Subject Access Request (SAR). Please see the “If you would like to get a copy of all the personal information we hold about you” instructions in Section 2.2.

The right to rectification

If you think the information CMB holds for you is wrong, incomplete or out of date you have the right to question any information CMB has about you that you think is incorrect. We will then take reasonable steps to check this for you and correct it.

If you want to do this you can visit the Branch or see Section 2.2.

The right to erasure

You have the right to have your personal information deleted or removed if there is no reason for us to keep it. This is also known as ‘the right to be forgotten’. There may be legal or other official reasons why we need to keep or use your personal information. If this is the case, we’ll explain our reasons to you.

Please see Section 2.2 and contact us if you think we shouldn’t be using it.

The right to restrict processing

You have the right to restrict processing of your personal information. This means it can only be used for certain things, such as legal claims or to exercise legal rights.

You can ask us to restrict the use of your personal information if:

• It is not accurate;
• It has been used unlawfully but you don’t want us to delete it;
• It is not relevant any more, but you want us to keep it for use in legal claims;
• You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it.

If we do restrict your personal information in this way, we won’t use or share it in other ways while it is restricted. This means that we may not be able to provide you some of your products or services while the restriction is in place.

If you want to ask us to restrict how we use it, please see Section 2.2 and contact us to do this.

The right to data portability

You also have the right to get certain personal information from us as a digital file so you can use it yourself or give it to other organisations if you so choose. If you wish, we will provide it to you in an electronic format that can be easily re-used by yourself, or you can ask us to pass it on to other. Please see Section 2.2 and contact us to do this.

The right to object

You have the right to object to us using your personal information for marketing purposes, and we must act on this. You can also object to any use of your information where we have given ‘legitimate interest’ as our reason for using it. You must tell us the reason for the objection and how it affects you as an individual. We can refuse your objection if we can show that there are legal or other official reasons why we need to keep or use the information. If this is the case, we’ll explain our reasons to you. Please see the Section 2.2 and contact us if you want to object to us using your information.

Rights in relation to automated decision making and profiling

You have rights around automated decision making and profiling. Automated decision making means a decision made solely by automated means, without any human involvement. Profiling means the automated processing of your personal information to evaluate certain things about you.

You have the right to information about these kinds of processing, and the right to ask for human intervention or to challenge an automated decision. You can do this when an automated decision is made about you, or you can contact us to speak about this.

The right to withdraw consent

Where consent is our reason for using your personal information you have the right to withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. If this is the case, we’ll tell you. Please see Section 2.2 to speak to us about this.

If you would like to obtain a copy of all the personal information we hold about you

Please write to us at this address:

China Merchants Bank London Branch

18/F, 20 Fenchurch Street

London

EC3M 3BY

If you would like to contact our Data Protection Officer

Please refer to the contact details of our Data Protection Officer as above.

If you are unhappy with how we have used your personal information

You may contact us directly through our appointed Data Protection Officer whose contact details are above or alternatively follow the procedure detailed in our Complaint Procedures.

If you are not happy with the outcome of a complaint

You also have the right to complain to the regulator and to lodge an appeal.

If you are not happy with how we have handled your complaint

You also have the right to complain to the regulator, and to lodge an appeal if you’re not happy with the outcome of a complaint. In the UK this is the Information Commissioner’s Office. You may find out on their website how to report a concern.

Below are the types of organisation that CMB may share your personal information with in order that CMB can then provide you with products and services, run its business and comply with its legal and regulatory obligations.

Third parties who help us provide products or services

We work with third parties who provide products or services under our brand names. If you apply for one of these products, we may share information about you with the third party. If we want to share information in this way, we, or the third party will tell you before we do so.

Affiliates of CMB

CMB may share your personal information with its affiliated companies.

Government Authorities

This includes:

• Central and local governments
• HM Revenue & Customs, regulators and other tax authorities
• UK Financial Services Compensation Scheme and other deposit guarantee schemes
• Law enforcement and fraud prevention agencies

Banking and financial services

This includes outside companies CMB works with to provide services to you and to run its business.

• Agents, suppliers, sub-contractors and advisers;
• Agents who help us to collect what is owed to us;
• Credit reference agencies;
• Someone linked with you or your business’s product or service;
• Other financial services companies to help prevent, detect and prosecute unlawful acts and fraudulent behaviour;
• Independent Financial Advisors;
• Employers;
• Companies you ask us to share your data with.

Insurers

CMB shares personal information with insurance industry companies to process claims and help reduce fraud. If you apply for insurance through CMB we may pass your personal or business details to the insurer.

Other services and schemes

Organisations that we may need to share your personal information with because of what you can do with the product or service you receive from us.

• If we provide you with a debit or credit card we will share transaction details with companies which help us to provide this service for example, Visa MasterCard.
• If you use direct debits we will share your data with the Direct Debit scheme.
• If you have a product with benefits such as travel insurance we will share your data with the benefit providers.
• If you have a secured loan or mortgage with us we may share information with other lenders who also hold a charge on the property.

General business requirements

Outside companies CMB uses to help grow and improve its business, including:

• Market researchers, we may send data which these firms combine with data from other sources to produce market trend reports and advice.
• Advisers who help us to come up with new ways of doing business, this might be a legal firm, IT supplier or consultancy.
• Company mergers and takeovers, we may also share your personal information if the make-up of CMB changes in the future:
• CMB may choose to sell, transfer, merge parts of its business or assets or may try to bring other businesses into CMB.
• During any such process CMB may share your data with other parties involved. CMB will only do this if they agree to keep your data safe and private.
• If the change to CMB happens then other parties may use your data in the same way as set out in this notice.

CMB may use your personal information to make decisions about what products, services and offers we think you may be interested in.

CMB can only use your personal information to send you marketing messages if it has either your consent or a ‘legitimate interest’. That is when CMB has a business or commercial reason to use your information. It must not conflict unfairly with your own interests.

As noted above the personal information CMB has for you is made up of what you tell us and data collected when you use our services or from outside organisations CMB works with. We study this to form a view on what we think you may want or need or what may be of interest to you. This is how we decide which products or services may be relevant for you.

This is called profiling for marketing purposes. You can contact us at any time and ask us to stop using your personal information this way.

If you allow it we may show or send you marketing material online via our own and other websites including social media or by email, mobile phone or post.

What you get will depend on marketing choices that you set. You can change these at any time and tell us to stop sending you marketing.

ou can also tell us not to collect data while you are using our websites or mobile apps. If you do, you will still see some marketing but it will not be tailored to you. See our Cookies Policy for details about how we use this data to improve our websites and mobile apps.

Whatever you choose you will still receive statements and other important information such as changes to your existing products and services.

CMB does not sell the information we have about you to outside organisations.

We may ask you to confirm or update your choices if you take out any new products or services with us in future. We will also ask you to do this if there are changes in the law, regulation or the structure of our business.

If you change your mind you can contact us to update your choices at any time.

CMB sometimes use systems to make automated decisions about you or your business. This helps us to make sure our decisions are quick, fair, efficient and correct and based on what we know. Automated decisions can affect the products, services or features CMB may offer you now or in the future or the price that CMB charges you for them. They are based on personal information that CMB has or is allowed to collect from others.

The following are the types of automated decisions CMB may make:

Pricing

CMB may decide what to charge for some products and services based on what we know.

Tailoring products, services and marketing

CMB may place you in groups with similar customers called customer segments. We use these to study and learn about our customers’ needs and to make decisions based on what we learn. This helps us to design products, services and offers for different customer segments and to manage our relationships with them. It also helps us tailor the marketing that individuals receive or are shown on our website and social media.

Detecting fraud

CMB uses your personal information to help decide if your personal or business accounts may be being used for fraud or money-laundering. We may detect that an account is being used in ways that fraudsters work or we may notice that an account is being used in a way that is unusual for you or your business. If we think there is a risk of fraud we may stop activity on the accounts or refuse access to them.

Account opening

When you open an account with CMB we check that the product or service is relevant for you based on what we know. We also check that you or your business meet the conditions needed to open the account. This may include checking age, residency, nationality or financial position.

Credit approval

We use a system to decide whether to lend money to you or your business when you apply for credit such as a loan. This is called credit scoring. It uses past data to assess how you’re likely to act while paying back any money you borrow. This includes data about similar accounts you may have had before. Credit scoring uses data from three sources:

• Your application form;
• Credit reference agencies;
• Data CMB may already hold.

It gives an overall assessment based on this. Banks and other lenders use this to help us make responsible lending decisions that are fair and informed. Credit scoring methods are tested regularly to make sure they are fair and unbiased.

Your rights over automated decisions

As a person you have rights over automated decisions.

• You can ask that we do not make our decision based on the automated score alone;
• You can object to an automated decision and ask that a person reviews it.

If you want to know more about these rights please contact us.

CMB undertakes credit and identity checks when you apply for a product or services for you or your business. CMB may use Credit Reference Agencies to help with this.

If you use our services from time to time we may also search information that the CRAs have in order to help us manage those accounts. CMB will share your personal information with CRAs and they will give us information about you. The data we exchange can include:

• Name, address and date of birth;
• Credit application;
• Details of any shared credit;
• Financial situation and history;
• Fraud prevention information;
• Public information, from sources such as the Electoral Register and Companies House.

CMB will use this data to:

• Assess whether you or your business is able to afford to make repayments;
• Make sure what you’ve told us is true and correct;
• Help detect and prevent financial crime;
• Manage your accounts with us;
• Trace and recover debts;
• Tell you about relevant offers.

CMB will continue to share your personal information with CRAs for as long as you are a customer. This will also include details of funds going into the account and the account balance. If you borrow it will also include details of your repayments and whether you repay in full and on time. CMB will also tell the CRAs when you settle your accounts. The CRAs may give this information to other organisations that want to check your credit status.

When we ask CRAs about you or your business the CRA will note it on your credit file and other lenders may see this. Additionally, we may see credit searches from other lenders.

If you apply for a product with someone else CMB will link your records with those of the CRAs. CMB will do the same if you tell us you have a spouse, partner or civil partner or that you are in business with other partners or directors.

You should tell them about this before you apply for a product or service. It is important that they know your records will be linked together and that credit searches may be made on them.

The CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other.

You can find out more about the CRAs on their websites, in their Credit Reference Agency Information Notice. This includes details about:

• Who they are;
• Their role as fraud prevention agencies;
• The data they hold and how they use it;
• How they share personal information;
• How long they can keep data;
• Your data protection rights.

Below are links to the information notice (CRAIN) for each of the three main UK-based CRAs:

Callcredit Equifax Experian

This section deals with information we share outside CMB group to help fight financial crime including fraud, money-laundering and terrorist financing.

We may need to confirm your identity before we provide products or services to you or your business. This may include carrying out fraud checks at the point of sale.

Once you have become a customer of ours, we will share your personal information as needed to help combat fraud and other financial crime. The organisations we share data with are:

• Registered Fraud Prevention Agencies (FPAs);
• Other agencies and bodies acting for the same purpose;
• Industry databases used for this purpose;
• Insurers.

Throughout our relationship with you we and these organisations exchange data between ourselves to help prevent, deter, detect and investigate fraud and money-laundering.

None of us can use your personal information unless we have a proper reason to do so. It must be needed either for us to obey the law or for a ‘legitimate interest’.

As noted above when we have a business or commercial reason of our own to use your information this is called a ‘legitimate interest’. We will tell you what that is, if we are going to rely on it as the reason for using your data. Even then, it must not unfairly go against your interests.

We will use the information to:

• Confirm identities;
• Help prevent fraud and / or money-laundering;
• Fulfil any contracts you or your business has with us.

We or an FPA may allow law enforcement agencies to access your personal information. This is to support their duty to prevent, detect, investigate and prosecute crime.

These other organisations can keep personal information for different lengths of time, up to six years.

These are some of the kinds of personal information that we use:

• Name
• Date of birth
• Residential address
• History of where you have lived
• Contact details, such as email addresses and phone numbers
• Financial data
• Whether you have been a victim of fraud
• Data about insurance claims you have made
• Data relating to your or your businesses products or services
• Employment details
• Vehicle details
• Data that identifies computers or other devices you use to connect to the internet. This includes your Internet Protocol (IP) address.

The information we have for you or your business is made up of what you tell us and data we collect when you use our services or from third parties we work with. When you access your account (online or via our banking App), we will undertake customer identity verification checks using Technical Data and Network Data and will analyse Usage Data in order to detect and prevent fraud.

CMB and other organisations acting to prevent fraud may also process your personal information in systems that look for fraud by studying patterns in the data. We may find that an account or policy is being used in ways that fraudsters work or we may notice that an account is being used in a way that is unusual for you or your business. Either of these could indicate a risk that fraud or money-laundering may be carried out against a customer, the bank or the insurer.

If we or an FPA decide there is a risk of fraud, we may stop activity on the accounts or block access to them. FPAs and cross-industry organisations may also keep a record of the risk that you or your business may pose. This may result in other organisations refusing to provide you with products or services, or to employ you.

FPAs and other organisations we share data with for these purposes may send personal information to countries outside the UK. When they do, there will be a contract in place to make sure the recipient protects the data to the same standard as the UK. This may include following international frameworks for making data sharing secure.

This section tells you about the safeguards that keep your personal information safe and private, if it is sent outside the UK. Please note we will only send your data outside of the UK to:

• Follow your instructions;
• Comply with a legal duty;
• Work with other parts of CMB to run your accounts and services;
• Work with our suppliers who help us to run your accounts and services.

Where we do transfer your personal information outside the UK including to our suppliers or third parties, we will make sure that it is protected to the same extent as in the UK. We will use one of these safeguards:

• Transfer it to a country outside of the UK with privacy laws that give the similar protections as the UK;
• Put in place a contract with the recipient that means they must protect it to the same standards as the UK. For example, we have a contract in place for transfers of your personal data from the UK to China that take place within CMB.

You can get more details about the protection of your personal information when it is transferred outside of the UK by contacting us using the details in the “2, Contacting us about data privacy” section of this Privacy Notice. You can also discover more about the rules on data transfers out of the UK on the ICO Website.