General Data Protection Regulation

We respect your personal information and this privacy notice explains how we handle it and your privacy rights. We take appropriate measures to ensure NAB can engage securely with and for our customers.

This notice applies to the collection and processing of your personal information (including credit information) if you are in a country that is a member of the European Economic Area (EEA) by or on behalf of National Australia Bank Ltd ABN 12 004 044 937 and its related companies ('we', 'us', 'NAB', the ‘Group’). This includes all the banking, financing, funds management, financial planning, superannuation, insurance, broking and e-commerce organisations in the Group. For further information about these Group members see www.nab.com.au.

This notice tells you how we collect and process your personal information and the legal basis for processing it, what we use it for and who we share it with. It also explains particular rights you have in relation to the processing of your personal information and reflects some key features of our Privacy Policies available at www.nab.com.au/privacy.

We are grateful for the trust and confidence you have in us to safeguard your privacy.

We care about your privacy and welcome your feedback. Please contact us if you have any questions or comments about this notice, our Group privacy policies and procedures, or you wish to exercise the rights you have under applicable privacy laws, which are explained further below.

You can contact us by:

• submitting an online Compliments, Suggestions or Complaints form

• calling our contact centre on + 61 3 8641 9083.
(Hearing impaired customers can call TTY National Relay Service 1300 555 727)

• using our feedback email address feedback@nab.com.au

NAB's ‘Office of the Data Protection Officer’ monitors and advises on compliance with the EU General Data Protection Regulation 2016/679 (the 'GDPR') which applies to NAB when processing the personal information of individuals (data subjects) who are in countries in the EEA in relation to offering them NAB's products or services or monitoring their behaviour when in those countries.

The contact details of NAB's ‘Office of the Data Protection Officer’ are as follows:
The Office of the Data Protection Officer,
National Australia Bank Limited
Level 1 800 Bourke Street,
Docklands
Melbourne
Victoria 3008 Australia.

Email: The.office.of.the.DPO@nab.com.au

The NAB Group is a data controller for our website and services provided through our website at the address shown above.

The categories of information that we collect from other sources include:

• Identity verification (from government agencies, background checking companies) to protect you against fraud;
• Credit reports (from credit checking agencies);
• Referee checks (loan application - from current and former employers, landlords, real estate agents, or other referees);
• Financial history (including becoming insolvent / bankrupt);
• Property information (in relation to loan applications, valuers, agents, referrers, brokers, mortgage managers, solicitors, conveyancers and settlement agents);
• Organisations involved in the securitisation of our loans such as loan servicers, trust managers, trustees and security trustees.

Sometimes we collect information about you from other sources. We may collect information about you that is publicly available (for example from public registers or social media) or made available by third parties.

For instance, we do this where:

• we distribute or arrange products on behalf of others, including our business partners;
• we can’t get hold of you and need to update your contact details;
• we need information from third parties about an application you make through us;
• we need information for fraud prevention purposes;
• we are checking the security you are offering;
• we can learn insights about your financial needs, such as through property information;
• you have consented to third parties sharing it with us, such as organisations we have loyalty programs with or we sponsor;
• at your request, we exchange information with your legal or financial advisers or other representatives.

We may use or disclose information about you in order to combine the information that we hold with information collected from or held by external sources. We do this in order to enable the development of customer insights about you so that we can serve you better. This includes being able to better understand your preferences and interests, personalise your experience, enhance the products and services you receive, and to tell you about products and services that may be of interest to you.

Where those insights are provided to others, such insights are based on aggregated information and do not contain any information that identifies you. We may also use service providers to undertake the process of creating these consumer insights.

We may use and process your information to:

• perform our contract with you and respond to your related requests;
• provide you with the product or service you asked or applied for, or in order to respond to your request before we provide the product or service (e.g. checking your information with others on your request) including to give you information about the product or service including financial help, guidance and advice;
• consider whether you are eligible for a product or service you have asked for, including identifying or verifying you or your authority to act on behalf of a customer;
• process your application and provide you with a product or service;
• administer the product or service we provide you, which includes answering your requests and complaints, varying products and services, and managing our relevant product portfolios;
• determine whether a beneficiary will be paid a benefit.

We may use your information for our legitimate interests (where we have considered these are not overridden by your rights and which you have the right to object to as explained below) in:

• identifying opportunities to improve our service to you and improving our service to you;
• conducting market research to serve you better by understanding your preferences to ensure we send you appropriate promotions and campaigns;
• assisting in arrangements with other organisations (such as loyalty program partners) in relation to a product or service we make available to you;
• allowing us to run our business and perform administrative and operational tasks (such as training staff, risk management; developing and marketing products and services, undertaking planning, research and statistical analysis; and systems development and testing);
• verifying identity, preventing or investigating any fraud or crime, or any suspected fraud or crime.

We may also use and process your personal information where we are required by applicable laws, regulations or codes that bind us, in particular as a financial institution. These include company and tax law and Australian anti-money laundering law which require us to verify your identity.

Where required under GDPR, we will only use your personal information for the purpose for which you have given your valid or explicit consent for, which we will ensure we have obtained before we process your information.
Some information you provide us in connection with your application for or the administering of a product or service we provide you, may be more sensitive and therefore falls within a special category of personal information, such as health information. We will collect and process this information only with your explicit consent.

With your consent where required by law, we may communicate with you (through the preferred communication channel(s) you have selected, which may include by email, telephone, SMS, iM, mail, or any other electronic means including via social networking forums) to:

• tell you about other Group products, services and offers that may be of interest to you;
• run competitions and other promotions.

If you have provided your consent to receive direct marketing, you can withdraw it at any time without detriment, we will process your request as soon as practicable.

Where you have subscribed to something specific (like hearing from one of our sponsored organisations) then these subscriptions will be managed separately.

If you no longer wish to receive these emails you may log into Internet Banking, and update your preferences.

Go to www.nab.com.au/unsubscribe or click the unsubscribe link included in the footer of our emails, or call us.

In addition to the basis on which we use and process your personal information described above, we may also use and process your credit information (which may be for our legitimate interest, or with your consent or to perform a contract we have with you) to:

• enable a mortgage insurer or title insurer to assess the risk of providing insurance to us or to address our contractual arrangements with the insurer;
• assess whether to accept a guarantor or the risk of a guarantor being unable to meet their obligations;
• consider hardship requests;
• assess whether to securitise loans and to arrange the securitising of loans.

We may collect information about you via application forms, online, or in person, because we are required or authorised by law to collect it, or where a contractual requirement exists, or the collection is necessary in order to enter into a contract with you.

There are laws that affect financial institutions, including company and tax law which require us to collect personal information.

For example, we require personal information to verify your identity under Commonwealth Anti-Money Laundering law.

If you don’t provide your information to us, we may not be able to:

• provide you with the product or service you want;
• respond to your requests;
• manage or administer your product or service;
• personalise your experience with us;
• verify your identity or protect against fraud; or
• let you know about other products or services from our Group that might better meet your financial, e-commerce and lifestyle needs.

You have the right not to be subject to a decision by NAB made solely by automated processing. NAB may use automated processing (including profiling) but does not make decisions about you only on this basis.

We may share your information with other organisations consistent with the purposes for which we use and process your information as described above. This includes with the entities described below.

We may share your personal information with other Group members. This could depend on the product or service you have applied for and the Group member you are dealing with. Where appropriate we integrate the information we hold across the Group to provide us with a complete understanding of you and your needs in connection with the product or services we are providing you, including giving you access to the Group or related products you hold via Internet Banking.

NAB acts for MLC Limited ABN 90 000 000 402 (described as MLC Life Insurance) in distributing their life insurance products.

MLC Limited is no longer part of the NAB Group of companies.

We may exchange your personal information with MLC Limited or their service providers in order to administer and manage your life insurance products that are issued by them and respond to your requests for assistance which includes to ensure:

• your insurance premium is calculated correctly (balance information may be required to be shared so your insurance can be calculated) and where authorised, make payments on your behalf to MLC Limited;
• insurance claims and benefits are paid;
• insurance products are viewable to service customer contact (this includes showing your insurance products in NAB Internet Banking if you have a NAB Internet Banking ID);
• we can transfer you to the right service centre;
• to handle your complaint (where appropriate, NAB and MLC Limited may cooperate in order to do so);
• being able to provide assistance should you wish to speak about your MLC Limited products held (for example, where possible, we may assist by updating contact details on request).

Some of the information exchanged will be stored and visible within NAB Group customer databases; with some of these databases being accessible to MLC Limited for a transition period. All information stored in these databases is subject to this notice and our Privacy Policy as well as NAB Group’s security procedures and controls.

At your request, we will share your personal information with your representative or any person acting on your behalf (for example, financial advisers, lawyers, settlement agents, accountants, executors, administrators, trustees, guardians, brokers or auditors) and your referee such as your employer (to confirm details about you).

When we’re checking your credit worthiness and at other times, we might share information about you with credit reporting bodies who may retain a record of that check.

When we give your information to a credit reporting body, it may be included in reports that the credit reporting body gives other organisations (such as other lenders) to help them assess your credit worthiness.
Some of the information that we give to credit reporting bodies may reflect adversely on your credit worthiness, for example, if you fail to make payments or if you commit a serious credit infringement (like obtaining credit by fraud). That sort of information may affect your ability to get credit from other lenders.

Your personal information may also be shared with credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information. These checks help us verify whether your identity is real and are not a credit check.

As outlined above, when we’re checking your credit worthiness and at other times, we might collect information about you from and give it to one or more credit reporting bodies.

The contact details of the credit reporting bodies we use are outlined below.

Each credit reporting body has a credit reporting policy about how they handle your information.

You can obtain copies of these policies at their websites.

Dun & Bradstreet Australia www.checkyourcredit.com.au
Dun & Bradstreet’s credit reporting policy is set out at www.http://dnb.com.au/privacy-policy.html
Phone: 1300 734 806 Mail: Public Access Centre Dun & Bradstreet Australia, PO Box 7405 St Kilda Road VIC 3004

Experian Australia www.experian.com.au
Experian’s credit reporting policy is set out at www.experian.com.au/credit-services-privacy.html
Phone: 1300 783 684 Mail: Consumer Support Experian Australia, PO Box 1969, North Sydney NSW 2060

Equifax (previously known as Veda) www.mycreditfile.com.au
Equifax's credit reporting policy is set out at www.equifax.com.au/privacy.

We may disclose your personal information to third parties outside of the Group including to help us run our sites, many of whom are based outside the EEA with the majority based in Australia. These third parties include:

• those involved in providing, managing or administering your product or service;
• authorised representatives of the NAB Group who sell products or services on our behalf;
• credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information;
• insurance, investment, superannuation and managed funds organisations, and their advisers and service provider;
• medical professionals, medical facilities or health authorities who verify any health information you may provide where necessary for insurance purposes;
• real estate agents, valuers and insurers (including lenders’ mortgage insurers and title insurers) , re-insurers, claim assessors and investigators;
• brokers or referrers who refer your application or business to us;
• other financial institutions, such as banks, as well as guarantors and prospective guarantors of your facility;
• organisations involved in debt collecting, including purchasers of debt;
• fraud reporting agencies (including organisations that assist with fraud investigations and organisations established to identify, investigate and/or prevent any fraud, suspected fraud, crime, suspected crime, or misconduct of a serious nature);
• organisations involved in surveying or registering a security property or which otherwise have an interest in such property;
• organisations we sponsor and loyalty program partners, including organisations the NAB Group has an arrangement with to jointly offer products or has an alliance with to share information for marketing purposes;
• companies we arrange or distribute products for, such as insurance products;
• rating agencies to the extent necessary to allow the rating agency to rate particular investments;
• any party involved in securitising your facility, including the Reserve Bank of Australia (sometimes this information is de-identified), re-insurers and underwriters, loan servicers, trust managers, trustees and security trustees;
• service providers that maintain, review and develop our business systems, procedures and technology infrastructure, including testing or upgrading our computer systems;
• payments systems organisations including merchants, payment organisations and organisations that produce cards, cheque books or statements for us;
• our joint venture partners that conduct business with us;
• organisations involved in a corporate re-organisation or transfer of NAB Group assets or business;
• organisations that assist with our product planning, analytics, research and development;
• mailing houses and telemarketing agencies and media organisations who assist us to communicate with you including for direct marketing purposes with your consent, including media or social networking sites;
• other organisations involved in our normal business practices, including our agents and contractors, as well as our accountants, auditors or lawyers and other external advisers (e.g. consultants and any independent customer advocates); and
• government or regulatory bodies (including the Australian Securities and Investment Commission and the Australian Tax Office) as required or authorised by law (in some instances these bodies may share it with relevant foreign authorities).

We run our business in Australia and overseas.

We will not share any of your credit information with a credit reporting body unless it has a business operation in Australia.

We are not likely to share credit eligibility information (that is, credit information we obtain about you from a credit reporting body or that we derive from that information) with organisations unless they have business operations in Australia. In the event that NAB seeks assistance from a related company to manage defaulting loans, we may need, as a consequence, to disclose credit eligibility information to the Bank of New Zealand, located in New Zealand. In this instance we are likely to share other credit information about you with organisations outside Australia.

We may need to share some of the information (including credit information) we collect about you from the EEA with organisations both inside and outside Australia, sometimes we may need to ask you before this happens.

You can view a list of the countries in which those overseas organisations are located at our overseas country list.

We may store your information in cloud or other types of networked or electronic storage. As electronic or networked storage can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be accessed or held.

If your information is stored in this way, disclosures may occur in countries other than those listed.

If we or our service providers transfer any of your personal information we collect from you out of the EEA, it will only be done with relevant protections in place. We will take steps to ensure that your personal information will be afforded the level of protection required of us under and in accordance with our Privacy Policy and applicable data protection laws and in accordance with current legally recognised data transfer mechanisms, such as where the country has been deemed adequate by the European Commission, where a valid Privacy Shield certification exists (in the case of a data transfer to a Privacy Shield certified US recipient -https://www.privacyshield.gov/welcome or by adopting appropriate EC approved standard contractual clauses (see https://ec.europa.eu/info/law/law-topic/data-protection_en )

If you wish to know whether or not the country to which the overseas disclosure is intended to be made has been deemed adequate by the European Commission, please refer to the European Commission's website.

Overseas organisations may be required to disclose information we share with them under an applicable foreign law.

We’ll only keep your information for as long as we require it for our purposes.

We’re required to keep some of your information for certain periods of time under law, such as the Corporations Act, the Anti-Money Laundering & Counter-Terrorism Financing Act, and the Financial Transaction Reports Act for example. When we no longer require your information, we’ll ensure that your information is destroyed or de-identified.

We are required to keep your information for 7 years from the closure of accounts, or 10 years from the termination of superannuation facilities, or otherwise as required for our business operations or by applicable laws.

We may need to retain certain personal information after we cease providing you with products or services to enforce our terms, for fraud prevention, to identify, issue or resolve legal claims and/or for proper record keeping.

We may also retain a record of any stated objection by you to receiving Group marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further, including if you hold MLC Limited products and you are excluded from NAB Group campaigns marketing MLC Limited products.

How to access your information
Subject to applicable laws, you have the right to access your personal information and to receive a copy of that information.

You can ask us to access your personal information that we hold by filling out the Personal Information Access form or emailing EU.GDPR.Operations@nab.com.au

You can also ask that personal information provided by you to us is transmitted to another party.

See ‘Contact Us’ if you would like a copy of the form to be sent out to you.
We may need to verify your identity to respond to your request. We will respond to any request within a reasonable period permitted under applicable privacy laws and will generally give access unless an exemption applies to certain information.

We will give you access to your information in the form you want it where it’s reasonable and practical (for example we can give you a disk recording of a phone call you had with us). We may charge you a small fee under certain circumstances to cover our costs when giving you access but we’ll always confirm this with you first.

If we can’t give you access, we will tell you why in writing and how you can make a complaint about our decision.

If you have concerns, you can complain. See ‘Contact Us’.

You have the right to correction (rectification) of personal information and can contact us if you think there is something wrong with the information we hold about you.

If you are worried that we have given incorrect information to others, we will tell them about the correction. If we can’t, then we’ll let you know in writing.

You also have in certain circumstances the right to request that the personal information that NAB collects from you is erased. If we refuse any request you make in relation to this right, we will tell you why in writing and how you can make a complaint about our decision.

You may also request that further processing of your personal information is restricted in certain circumstances, including while we investigate your concerns with this information.

Where you request access to credit information that NAB obtained from credit reporting bodies or which it based on that information, we will:

• provide you access to the information within 30 days (unless unusual circumstances apply); and
• ask you to check with credit reporting bodies what information they hold about you to ensure it is accurate and up-to-date.

If we can’t give you access, we will tell you why in writing and how you can make a complaint about our decision. If your concerns haven't been resolved to your satisfaction, you can lodge a complaint with the Australian Financial Complaints Authority (AFCA), with the Office of the Australian Information Commissioner or with the relevant data protection authority such as the Office of the UK Information Commissioner. Contact details are provided below.

Whether we made the mistake or someone else made it, we are required to help you correct the information within 30 days. If we can’t make a correction in that timeframe, we will ask you for extra time. We also might need to talk to others in order to process your request. The most efficient way for you to make a correction request is to ask the organisation which made the mistake.

Whether we’re able to correct the information or not, we’ll let you know within five business days of deciding to do this. If we can’t we will provide reasons. We’ll also let the relevant third parties know as well as any others you tell us about. If there are any instances where we can’t do this, then we’ll let you know in writing. If your concerns haven't been resolved to your satisfaction, you can lodge a complaint with the Australian Financial Complaints Authority (AFCA), with the Office of the Australian Information Commissioner or with the relevant data protection authority such as the Office of the UK Information Commissioner. Contact details are given below.

You also have in certain circumstances the right to request that the further processing of your information is restricted or to object to its processing and the right to data portability (to receive and have transferred the information you provided). If we refuse any request you make in relation to this right, we will write to you to explain why and how you can make a complaint about our decision.

You can let us know at any time if you no longer wish to receive direct marketing updates from the Group. We will process your request as soon as practicable. Where you have subscribed to something specific (like to hear from one of our sponsored organisations) then these subscriptions will be managed separately.

You may also withdraw your consent where provided or object to the further processing of your personal information under certain circumstances. If we refuse any request you make in relation to this right, we will write to you to explain why and how you can make a complaint about our decision.

The withdrawal of your consent will not affect the processing of your information that you had consented to.

If you have a complaint about how we handle your personal information, we want to hear from you. You are always welcome to contact us. We are committed to resolving your complaint and doing the right thing by our customers. We aim to resolve complaints as quickly as we can, and you should hear from us within five business days (see ‘Contact Us’).

If you still feel your issue or request hasn't been resolved to your satisfaction, then you can escalate your privacy concern (see ‘Contact details for escalating complaints’) and you have the right to make a complaint to the relevant data protection authority (for example in the place you reside or where you believe we breached your rights).

We will let you know how we will deal with your complaint within seven days.

If we can’t fix things within 30 days, we’ll let you know why and how long we think it will take. We will also ask you for an extension of time to fix the matter. If your concerns haven't been resolved to your satisfaction, you can lodge a complaint with the Australian FInancial Complaints Authority (AFCA), with the Office of the Australian Information Commissioner or with the relevant data protection authority such as the Office of the UK Information Commissioner.

If your complaint relates to how we handled your access and correction requests you may take your complaint directly to AFCA or the Office of the Australian or UK Information Commissioner. You are not required to let us try to fix it first.

Need more help?

Australian Financial Complaints Authority (AFCA)

• Website: afca.org.au
• Email: info@afca.org.au
• Telephone: 1800 931 678 (free call)
• In writing to: Australian Financial Complaints Authority, GPO Box 3, Melbourne, VIC 3001

Office of the Australian Information Commissioner

• Online: www.oaic.gov.au/privacy
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

Office of the UK Information Commissioner

• Online: www.ico.gov.uk
• Phone: 0303 123 1113
• Live chat: https://ico.org.uk/global/contact-us/live-chat

For more information call our contact centre on + 61 3 8641 9083 and select the option to speak to a Customer Service Representative or visit us at nab.com.au

For more information about privacy in general, you can visit the
Office of Information Commissioner’s website ico.gov.uk

Hearing impaired customers with telephone typewriters can contact us on National Relay Service 1300 555 727