Data protection regulation – UK and EU

For more information read our amended NAB Privacy Statement (UK and EU). (PDF, 229KB), opens in new window

Data protection law requires us to manage all personal information in accordance with the data protection principles. We (National Australia Bank) are committed to protecting your privacy.

Protecting your personal data

We take the protection of your personal data very seriously, and are pleased to provide you with our amended Privacy Statement (UK  and EU) as outlined below:

  • This notice applies to the collection and processing of your personal information (including credit information) if you are in the United Kingdom or a country that is a member of the European Economic Area (EEA) by or on behalf of National Australia Bank Ltd ABN 12 004 044 937 and its related companies (‘we’, ‘us’, ‘NAB’, the ‘Group’). This includes all the banking, financing, funds management, financial planning, superannuation, insurance, broking and e-commerce organisations in the Group. For further information about these Group members see our website.

    This notice tells you how we collect and process your personal information and the legal basis for processing it, what we use it for and who we share it with. It also explains particular rights you have in relation to the processing of your personal information and reflects some key features of our Privacy Policies.

    We are grateful for the trust and confidence you have in us to safeguard your privacy. 

  • We care about your privacy and welcome your feedback. Please contact us if you have any questions or comments about this notice, our Group privacy policies and procedures, or you wish to exercise the rights you have under applicable privacy laws, which are explained further below.

    You can contact us by:

  • NAB’s Global Privacy Office and its Data Protection Officer monitor and advise on compliance with global privacy laws including the UK’s Data Protection Act (2018) (DPA) and the EU General Data Protection Regulation 2016/679 (the ‘GDPR’) which applies to NAB when processing the personal information of individuals (data subjects) who are in countries in the EEA in relation to offering them NAB’s products or services or monitoring their behaviour when in those countries.

    The contact details of NAB's ‘Office of the Data Protection Officer’ are as follows:

    The Office of the Data Protection Officer,
    National Australia Bank Limited
    Level 1 800 Bourke Street,
    Docklands
    Melbourne
    Victoria 3008 Australia.

    Email: global.privacy.office@nab.com.au The NAB Group is a data controller for our website and services provided through our website.

  • The categories of information that we collect from other sources include:

    • Identity verification (from government agencies, background checking companies) to protect you against fraud
    • Credit reports (from credit checking agencies)
    • Referee checks (loan application - from current and former employers, landlords, real estate agents, or other referees)
    • Financial history (including becoming insolvent / bankrupt)
    • Property information (in relation to loan applications, valuers, agents, referrers, brokers, mortgage managers, solicitors, conveyancers and settlement agents)
    • Organisations involved in the securitisation of our loans such as loan servicers, trust managers, trustees and security trustees.

    We may also collect information about you when you communicate (including through emails or other messages) with one of our employees or other third parties who are using computers provided by NAB, including:

    • We may monitor use of NAB devices for the purpose of ensuring that NAB employees comply with applicable laws and NAB's internal policies (including as part of internal and/or external investigations)
    • Such monitoring may incidentally collect your personal information, including in the form of metadata from emails and messages (such as email subjects and the sender / recipient(s)). In very limited and specific scenarios (e.g. where there is suspicion of serious misconduct or a crime by a NAB employee), such monitoring may also collect and process your personal information through the recording / capture of the NAB employee's device screen as part of the monitoring of that employee.
  • Sometimes we collect information about you from other sources. We may collect information about you that is publicly available (for example from public registers or social media) or made available by third parties.

    For instance, we do this where:

    • we distribute or arrange products on behalf of others, including our business partners;
    • we can’t get hold of you and need to update your contact details;
    • we need information from third parties about an application you make through us;
    • we need information for fraud prevention purposes;
    • we are checking the security you are offering;
    • we can learn insights about your financial needs, such as through property information;
    • you have consented to third parties sharing it with us, such as organisations we have loyalty programs with or we sponsor;
    • at your request, we exchange information with your legal or financial advisers or other representatives.

    We may use or disclose information about you in order to combine the information that we hold with information collected from or held by external sources. We do this in order to enable the development of customer insights about you so that we can serve you better. This includes being able to better understand your preferences and interests, personalise your experience, enhance the products and services you receive, and to tell you about products and services that may be of interest to you.

  • We may use and process your information to:

    • perform our contract with you and respond to your related requests;
    • provide you with the product or service you asked or applied for, or in order to respond to your request before we provide the product or service (e.g. checking your information with others on your request) including to give you information about the product or service including financial help, guidance and advice;
    • consider whether you are eligible for a product or service you have asked for, including identifying or verifying you or your authority to act on behalf of a customer;
    • process your application and provide you with a product or service;
    • administer the product or service we provide you, which includes answering your requests and complaints, varying products and services, and managing our relevant product portfolios;
    • determine whether a beneficiary will be paid a benefit.
  • We may use your information for our legitimate interests (where we have considered these are not overridden by your rights and which you have the right to object to as explained below) in:

    • identifying opportunities to improve our service to you and improving our service to you
    • conducting market research to serve you better by understanding your preferences to ensure we send you appropriate promotions and campaigns
    • assisting in arrangements with other organisations (such as loyalty program partners) in relation to a product or service we make available to you
    • allowing us to run our business and perform administrative and operational tasks (such as training staff, risk management; developing and marketing products and services, undertaking planning, research and statistical analysis; and systems development and testing)
    • verifying identity, preventing or investigating any fraud or crime, or any suspected fraud or crime. (including the collection of any of your personal information incidentally as part of our employee surveillance and monitoring program).
  • We may also use and process your personal information where we are required by applicable laws, regulations or codes that bind us, in particular as a financial institution. These include company and tax laws and anti-money laundering laws which, among other things, require us to verify your identity.

  • Where required under the DPA or the GDPR (as relevant), we will use your personal information for the purpose for which you have given your valid or explicit consent. We will ensure we have obtained your consent if it is required before we process your information.

    For example, some information you provide us in connection with your application for or the administering of a product or service we provide you, may be more sensitive and therefore fall within a special category of personal information, such as health information. We will collect and process this information only with your explicit consent.

  • With your consent where required by law, we may communicate with you (through the preferred communication channels you have selected, which may include by email, telephone, SMS, iM, mail, or any other electronic means including via social networking forums) to:

    • tell you about other NAB Group products, services and offers that may be of interest to you;
    • run competitions and other promotions.

    If you have provided your consent to receive direct marketing, you can withdraw it at any time without detriment. We will process your request as soon as practicable.

    Where you have subscribed to something specific (like hearing from one of our sponsored organisations) then these subscriptions will be managed separately.

    If you no longer wish to receive these emails you may log into Internet Banking and update your preferences.

    Go to www.nab.com.au/unsubscribe or click the unsubscribe link included in the footer of our emails, or call us.

  • In addition to the basis on which we use and process your personal information described above, we may also use and process your credit information (which may be for our legitimate interest, or with your consent or to perform a contract we have with you) to:

    • enable a mortgage insurer or title insurer to assess the risk of providing insurance to us or to address our contractual arrangements with the insurer;
    • assess whether to accept a guarantor or the risk of a guarantor being unable to meet their obligations;
    • consider hardship requests;
    • assess whether to securitise loans and to arrange the securitising of loans.
  • We may collect information about you via application forms, online, or in person, because we are required or authorised by law to collect it, or where a contractual requirement exists, or the collection is necessary in order to enter into a contract with you.

    There are laws that affect financial institutions, including company and tax law which require us to collect personal information.

    For example, we require personal information to verify your identity under Commonwealth Anti-Money Laundering law.

  • If you don’t provide your information to us, we may not be able to:

    • provide you with the product or service you want;
    • respond to your requests;
    • manage or administer your product or service;
    • personalise your experience with us;
    • verify your identity or protect against fraud; or
    • let you know about other products or services from our Group that might better meet your financial, e-commerce and lifestyle needs.

    You have the right not to be subject to a decision by NAB made solely by automated processing. NAB may use automated processing (including profiling) but does not make decisions about you only on this basis.

  • We may share your information with other organisations consistent with the purposes for which we use and process your information as described above. This includes with the entities described below.

  • We may share your personal information with other Group members. This could depend on the product or service you have applied for and the Group member you are dealing with. Where appropriate we integrate the information we hold across the Group to provide us with a complete understanding of you and your needs in connection with the product or services we are providing you, including giving you access to the Group or related products you hold via Internet Banking.

    We may also share your personal information with other Group members where it is necessary to do so as part of the employee surveillance and monitoring program. This may involve transfer of your personal data outside the EEA, including to Australia, in which case we will ensure that the relevant protections are put in place prior to such transfer.

  • At your request, we will share your personal information with your representative or any person acting on your behalf (for example, financial advisers, lawyers, settlement agents, accountants, executors, administrators, trustees, guardians, brokers or auditors) and your referee such as your employer (to confirm details about you).

  • When we’re checking your credit worthiness and at other times, we might share information about you with credit reporting bodies who may retain a record of that check.

    When we give your information to a credit reporting body, it may be included in reports that the credit reporting body gives other organisations (such as other lenders) to help them assess your credit worthiness.

    Some of the information that we give to credit reporting bodies may reflect adversely on your credit worthiness, for example, if you fail to make payments or if you commit a serious credit infringement (like obtaining credit by fraud). That sort of information may affect your ability to get credit from other lenders.

    Your personal information may also be shared with credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information. These checks help us verify whether your identity is real and are not a credit check.

    As outlined above, when we’re checking your credit worthiness and at other times, we might collect information about you from and give it to one or more credit reporting bodies.

    The contact details of the credit reporting bodies we use are outlined below.

    Each credit reporting body has a credit reporting policy about how they handle your information.

    You can obtain copies of these policies at their websites.

    Dun & Bradstreet Australia www.checkyourcredit.com.au, opens in new window
    Dun & Bradstreet’s credit reporting policy is set out at https://dnb.com.au/privacy-policy.html, opens in new window
    Phone: 1300 734 806
    Mail: Public Access Centre Dun & Bradstreet Australia, PO Box 7405 St Kilda Road VIC 3004

    Experian Australia https://www.experian.com.au, opens in new window
    Experian’s credit reporting policy is set out at www.experian.com.au/credit-services-privacy.html, opens in new window
    Phone: 1300 783 684
    Mail: Consumer Support Experian Australia
    PO Box 1969
    North Sydney NSW 2060
    Australia

    Equifax (previously known as Veda) www.mycreditfile.com.au, opens in new window
    Equifax's credit reporting policy is set out at www.equifax.com.au/privacy.

  • We may disclose your personal information to third parties outside of the Group including to help us run our business operations, locations and sites, many of whom are based outside the UK and EEA, with the majority based in Australia. These third parties include:

    • those involved in providing, managing or administering your product or service;
    • authorised representatives of the NAB Group who sell products or services on our behalf;
    • credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information;
    • insurance, investment, superannuation and managed funds organisations, and their advisers and service provider;
    • medical professionals, medical facilities or health authorities who verify any health information you may provide where necessary for insurance purposes;
    • real estate agents, valuers and insurers (including lenders’ mortgage insurers and title insurers) , re-insurers, claim assessors and investigators;
    • brokers or referrers who refer your application or business to us;
    • other financial institutions, such as banks, as well as guarantors and prospective guarantors of your facility;
    • organisations involved in debt collecting, including purchasers of debt;
    • fraud reporting agencies (including organisations that assist with fraud investigations and organisations established to identify, investigate and/or prevent any fraud, suspected fraud, crime, suspected crime, or misconduct of a serious nature);
    • organisations involved in surveying or registering a security property or which otherwise have an interest in such property;
    • organisations we sponsor and loyalty program partners, including organisations the NAB Group has an arrangement with to jointly offer products or has an alliance with to share information for marketing purposes;
    • companies we arrange or distribute products for, such as insurance products;
    • rating agencies to the extent necessary to allow the rating agency to rate particular investments;
    • any party involved in securitising your facility, including the Reserve Bank of Australia (sometimes this information is de-identified), re-insurers and underwriters, loan servicers, trust managers, trustees and security trustees;
    • service providers that maintain, review and develop our business systems, procedures and technology infrastructure, including testing or upgrading our computer systems;
    • payments systems organisations including merchants, payment organisations and organisations that produce cards, cheque books or statements for us;
    • our joint venture partners that conduct business with us;
    • organisations involved in a corporate re-organisation or transfer of NAB Group assets or business;
    • organisations that assist with our product planning, analytics, research and development;
    • mailing houses and telemarketing agencies and media organisations who assist us to communicate with you including for direct marketing purposes with your consent, including media or social networking sites;
    • other organisations involved in our normal business practices, including our agents and contractors, as well as our accountants, auditors or lawyers and other external advisers (e.g. consultants and any independent customer advocates); and
    • government or regulatory bodies the Financial Conduct Authority (FCA) and HM Revenue and Customs, as required or authorised by law (in some instances these bodies may share it with relevant foreign authorities).
  • We run our business in Australia and overseas.

    We will not share any of your credit information with a credit reporting body unless it has a business operation in Australia.

    We are not likely to share credit eligibility information (that is, credit information we obtain about you from a credit reporting body or that we derive from that information) with organisations unless they have business operations in Australia. In the event that NAB seeks assistance from a related company to manage defaulting loans, we may need, as a consequence, to disclose credit eligibility information to the Bank of New Zealand, located in New Zealand. In this instance we are likely to share other credit information about you with organisations outside Australia.

    We may need to share some of the information (including credit information) we collect about you from the UK or the EEA (as relevant) with organisations both inside and outside Australia. Sometimes we may need to ask you before this happens.

    View a list of the countries in which those overseas organisations are located.

    We may store your information in cloud or other types of networked or electronic storage. If your information is stored in this way, disclosures may occur in countries other than those listed.

    We are a global business and are headquartered in Australia and have operations in a number of overseas locations. We or our service providers may from time to time need to transfer some of your information outside the UK and the European Economic Area (‘EEA’) as relevant, including to Australia and India. If that is the case, we put adequate, safeguards in place to ensure the protection of your privacy, fundamental rights and freedoms when your personal data is transferred outside the UK or the EEA.

    Overseas organisations may be required to disclose information we share with them under an applicable foreign law.

  • We’ll only keep your information for as long as we require it for our purposes.

    We’re required to keep some of your information for certain periods of time under law, such as the Corporations Act, the Anti-Money Laundering & Counter-Terrorism Financing Act, and the Financial Transaction Reports Act for example. When we no longer require your information, we’ll ensure that your information is destroyed or de-identified.

    We are required to keep your information for 7 years from the closure of accounts, or 10 years from the termination of superannuation facilities, or otherwise as required for our business operations or by applicable laws.

    We may need to retain certain personal information after we cease providing you with products or services to enforce our terms, for fraud prevention, to identify, issue or resolve legal claims and/or for proper record keeping.

    We may also retain a record of any stated objection by you to receiving Group marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further.

  • How to access your information

    Subject to applicable laws, you have the right to access your personal information and to receive a copy of that information.

    You can ask us to access your personal information by emailing global.privacy.office@nab.com.au.

    You can also ask that personal information provided by you to us is transmitted to another party.

    We may need to verify your identity to respond to your request. We will respond to any request within a reasonable period permitted under applicable privacy laws and will generally give access unless an exemption applies to certain information.

    We will give you access to your information in the form you want it where reasonable and practical. We may charge you a small fee under certain circumstances to cover our costs when giving you access, but we’ll always confirm this with you first.

    If we can’t give you access, we will tell you why in writing. We’ll also let you know how you can make a complaint about our decision.If you have concerns, you can complain. See ‘contact us’.

  • You have the right to correction (rectification) of personal information and can contact us if you think there is something wrong with the information we hold about you.

    If you are worried that we have given incorrect information to others, we will tell them about the correction. If we can’t, then we’ll let you know in writing.

  • You also have in certain circumstances the right to request that the personal information that NAB collects from you is erased. If we refuse any request you make in relation to this right, we will tell you why in writing and how you can make a complaint about our decision.

  • You may also request that further processing of your personal information is restricted in certain circumstances, including while we investigate your concerns with this information.

  • Where you request access to credit information that NAB obtained from credit reporting bodies or which it based on that information, we will:

    • provide you access to the information within 30 days (unless unusual circumstances apply); and
    • ask you to check with credit reporting bodies what information they hold about you to ensure it is accurate and up-to-date.

    If we can’t give you access, we will tell you why in writing. We’ll also let you know how you can make a complaint about our decision. If you have concerns, you can complain to our external dispute resolution scheme, the Financial Ombudsman Services (FOS), the Australian Information Commissioner, or the relevant data protection authority such as the Office of the UK Information Commissioner or the French Commission Nationale de l’Informatique et des Libertés.

  • Whether we made the mistake or someone else made it, we are required to help you correct the information within 30 days. If we can’t make a correction in that timeframe, we will ask you for extra time. We also might need to talk to others in order to process your request. The most efficient way for you to make a correction request is to ask the organisation which made the mistake.

    Whether we’re able to correct the information or not, we’ll let you know within five business days of deciding to do this. If we can’t we will provide reasons. We’ll also let the relevant third parties know as well as any others you tell us about. If there are any instances where we can’t do this, then we’ll let you know in writing. If you have any concerns, you can access the Financial Ombudsman Service or make a complaint to the Australian Information Commissioner or the relevant data protection authority such as the Office of the UK Information Commissioner or the French Commission Nationale de l’Informatique et des Libertés.

  • You also have in certain circumstances the right to request that the further processing of your information is restricted or to object to its processing and the right to data portability (to receive and have transferred the information you provided). If we refuse any request you make in relation to this right, we will write to you to explain why and how you can make a complaint about our decision.

  • You can let us know at any time if you no longer wish to receive direct marketing updates from the Group. We will process your request as soon as practicable. Where you have subscribed to something specific (like to hear from one of our sponsored organisations) then these subscriptions will be managed separately.

    You may also withdraw your consent where provided or object to the further processing of your personal information under certain circumstances. If we refuse any request you make in relation to this right, we will write to you to explain why and how you can make a complaint about our decision.

    The withdrawal of your consent will not affect the processing of your information that you had consented to.

  • If you have a complaint about how we handle your personal information, we want to hear from you. You are always welcome to contact us. We are committed to resolving your complaint and doing the right thing by our customers. We aim to resolve complaints as quickly as we can, and you should hear from us within five business days (see ‘Contact Us’).

    If you still feel your issue or request hasn't been resolved to your satisfaction, then you can escalate your privacy concern (see ‘Contact details for escalating complaints’) and you have the right to make a complaint to the relevant data protection authority (for example in the place you reside or where you believe we breached your rights).

  • We will let you know how we will deal with your complaint within seven days.

    If we can’t fix things within 30 days, we’ll let you know why and how long we think it will take. We will also ask you for an extension of time to fix the matter. If you have any concerns, you may choose to complain to the Financial Services Ombudsman, the Office of the Australian Commissioner or the relevant data protection authority such as the Office of the UK Information Commissioner.

    If your complaint relates to how we handled your requests for access and corrections, you may take your complaint directly to the Financial Ombudsman Service, the Office of the Australian or UK Information Commissioner, or French Commission Nationale de l’Informatique et des Libertés. You are not required to let us try to fix it first.

  • Need more help?

    Financial Ombudsman Service UK

    Office of the Australian Information Commissioner

    Office of the UK Information Commissioner

    Commission Nationale de l’Informatique et des Libertés (France)

Important information