GDPR Compliance Overview

Compliance & Regulatory Data Protection & Privacy Last reviewed: 2025-06-15 Owner: Data Protection Office

1. Purpose

This policy (Ref: COMP-DP-001) provides an overview of the Bank's compliance framework for the EU General Data Protection Regulation (Regulation (EU) 2016/679) and applicable national data protection legislation. It ensures that the Bank processes personal data lawfully, fairly, and transparently across all business operations.

2. Scope

This policy applies to all processing of personal data by the Bank, whether in its capacity as a data controller or data processor. It covers all employees, contractors, third-party service providers, and any party processing personal data on behalf of the Bank, across all jurisdictions.

3. Data Protection Principles

The Bank adheres to the following core principles as defined in Article 5 of the GDPR:

PrincipleDescription
Lawfulness, Fairness, and TransparencyPersonal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose LimitationData must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data MinimisationData collected must be adequate, relevant, and limited to what is necessary for the purposes of processing.
AccuracyPersonal data must be accurate and, where necessary, kept up to date.
Storage LimitationData must be kept in a form that permits identification of data subjects for no longer than is necessary.
Integrity and ConfidentialityData must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
AccountabilityThe Bank must be able to demonstrate compliance with all of the above principles.

4. Lawful Bases for Processing

The Bank relies on the following lawful bases for processing personal data, depending on the nature and purpose of the processing activity:

  • Contractual necessity — Processing required for the performance of a contract with the data subject (e.g., account opening, loan processing).
  • Legal obligation — Processing required to comply with a legal obligation (e.g., AML/KYC requirements, tax reporting).
  • Legitimate interest — Processing necessary for the legitimate interests of the Bank, provided such interests are not overridden by the data subject's rights (e.g., fraud prevention, internal analytics).
  • Consent — Where no other lawful basis applies, explicit consent is obtained from the data subject (e.g., marketing communications).
  • Vital interests — Processing necessary to protect the vital interests of the data subject or another natural person.
  • Public interest — Processing necessary for the performance of a task carried out in the public interest.

5. Data Subject Rights

The Bank respects and facilitates the exercise of the following data subject rights:

  • Right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure / right to be forgotten (Article 17).
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).
  • Right to object (Article 21).
  • Rights in relation to automated decision-making and profiling (Article 22).

All data subject requests must be acknowledged within three (3) business days and fulfilled within one (1) calendar month of receipt. Refer to COMP-DP-002 for the DSAR procedure.

6. Governance

  • Data Protection Officer (DPO) — The Bank has appointed a Group DPO in accordance with Article 37 of the GDPR. The DPO provides independent advice on data protection matters and monitors compliance.
  • Data Protection Office — Operational team supporting the DPO in the execution of the Bank's data protection programme.
  • Data Owners — Senior managers in each business unit are designated as Data Owners, accountable for the lawful and compliant processing of data within their domain.

7. Breach Notification

Personal data breaches must be reported to the Data Protection Office within twelve (12) hours of discovery. The DPO will assess the breach and, where required, notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, in accordance with Articles 33 and 34 of the GDPR.

8. Review

This policy is reviewed annually by the Data Protection Office. Next review: Q1 2027.

Related Articles

Cross-Border Data Transfer Rules

Defines the Bank's requirements and approved mechanisms for transferring personal data outside the European Economic Area, including adequacy decisions, Standard Contractual Clauses, and Binding Corporate Rules.

Updated 2025-10-20

Data Retention Policy

Establishes the Bank's data retention and disposal standards for all categories of personal and business data, including mandatory retention periods, secure destruction methods, and regulatory requirements.

Updated 2025-09-05

Data Subject Access Request (DSAR) Procedure

Step-by-step procedure for receiving, verifying, processing, and responding to Data Subject Access Requests under the GDPR, including timelines, exemptions, and escalation paths.

Updated 2025-07-10