Additional rights in Asia
Customers of our Singapore Branch
Additional rights for customers of our Singapore Branch are set out in the Singapore Branch Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting the Singapore Data Privacy Officer (see We’re here to help, Section 6a).
Customers of our Tokyo Branch
Additional rights for customers of our Tokyo Branch are set out in the Commonwealth Bank of Australia, Tokyo Branch Privacy Policy Statement (PDF). You may request a copy of this Notice, or further information relating to your rights, by contacting the Tokyo Branch Data Privacy Officer (see We’re here to help, Section 6a).
Customers of our China Branch
Additional rights for customers whose personal information will be collected, processed, stored, transmitted, disclosed and used by Commonwealth Bank of Australia in China is set out in our China Branch Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting the China Data Privacy Officer (see We’re here to help, Section 6a).
Customers of our Hong Kong Branch
Additional rights for customers of our Hong Kong Branch are set out in the Commonwealth Bank of Australia, Hong Kong Branch Privacy Policy Statement (PDF). You may request a copy of this Notice, or further information relating to your rights, by contacting the Hong Kong Branch Data Privacy Officer (see We’re here to help, Section 6a).
Additional rights for individuals located in the European Economic Area and United Kingdom
The European Union (EU) and the United Kingdom (UK) have local data protection laws, such as the EU General Data Protection Regulation (GDPR) and United Kingdom General Data Protection Regulation (UK GDPR), which give more rights to individuals located in the European Economic Area (EEA) and the UK and more obligations to organisations holding their personal information.
If you are a customer of our UK branch or our bank in Netherlands, that organisation will be a “controller” of your personal information, which means it is responsible for compliance with the GDPR or UK GDPR as applicable.
In this Appendix, “personal information” means any information relating to an identified or identifiable natural person.
Under the GDPR and UK GDPR, personal information must be processed in a lawful, fair and transparent manner. This means we must provide you with more information about how we collect, use, share and store your personal information and information about your rights in data protection law. We have set out below this information, which is in addition to certain other information provided in the Group Privacy Statement above.
If you are located in the UK or EEA and have an enquiry relating to your data protection rights, please contact [email protected].
What personal information do we collect?
For details of what personal information we collect, please refer to Section 2 (Collection, use and sharing) above.
If we require certain information for our contract with you or because it is legally required and you do not provide this to us, we may not be able to offer you products or services, or perform our contract with you.
Special categories of personal information
Personal information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data (for example your fingerprints), or data concerning your health, sex life or sexual orientation is subject to additional requirements.
If we process this personal information about you, we will only process this with your consent or where otherwise lawfully permitted.
How long we keep your personal information
We will keep your personal information while you are a customer. We keep your personal information for only as long as we need it for the relevant purpose.
We generally keep your personal information for up to 7 years after you stop being a customer but we may keep your personal information for longer for the following purposes:
- To fulfil legal or regulatory obligations
- For internal research and analytics
- To respond to a question or complaint
How we use your personal information
We can collect and use your personal information for the purposes noted above in Section 2 (Collection, use and sharing). We must have a valid lawful ground to process your personal information, which may be one of the following lawful grounds:
- Contract: We need to process your personal information in order to fulfil a contract you have with us, or because you have asked us to take specific steps before entering into a contract.
- Legal or regulatory obligations: We need to process your personal information for us to comply with applicable law or regulations (not including contractual obligations).
- Legitimate interests: We need to process your personal information for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal information which overrides these legitimate interests.
- Consent: We may (but usually do not) need your consent to use your personal information for a specific purpose.
link