1 Who we are
1.1 This privacy notice (the "Privacy Notice") applies to all information we collect, use and process about you as a customer in relation to the products/services you receive from Mettle, a trading name of National Westminster Bank plc.
1.2 National Westminster Bank plc is a data controller in respect of personal information that we process in connection with our business (including the products and services that we provide). In this notice, references to "we", "us" or "our" are references to National Westminster Bank plc, trading as Mettle (Mettle).
1.3 Our principal address is 250 Bishopsgate, London EC2M 4AA and our contact details can be located at mettle.co.uk.
1.4 We are a member of NatWest Group plc. More information about the NatWest Group can be found at NatWestGroup.com by clicking on 'About Us'.
1.5 We respect individuals' rights to privacy and to the protection of personal information. The purpose of this Privacy Notice is to explain how we collect and use personal information in connection with our business. "Personal information" means information about a living individual who can be identified from that information (either by itself or when it is combined with other information).
2 The information we process
We collect and process various categories of personal information at the start of, and for the duration of, your relationship with us and beyond (subject to appropriate retention periods as set out in section 12 below). We will limit the collection and processing to information necessary to achieve one or more legitimate purposes as identified in this notice. Personal and confidential information may include:
a) basic personal information, including name and address, date of birth, contact details, nationality, the fact you are our customer;
b) financial information, including account and transactional information and history, payment and payee details;
c) information about your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, credit and borrowing history and needs and goals;
d) information about your business;
e) goods and services provided;
f) visual images and personal appearance (such as copies of passports or video images), voice recordings; and
g) online profile and social media information and activity, based on your interaction with us and our websites and the Mettle app, including for example your banking profile and login information, Internet Protocol (IP) address, smart device information, location coordinates, Mettle app security authentication, mobile phone network information, searches, site visits and spending patterns.
2.2 We may also process certain special categories of information for specific and limited purposes, such as detecting and preventing financial crime, it is in the wider public interest (for example, to protect customers' economic well-being), to make our services accessible to customers or for reporting of complaints for regulatory purposes. We will only process special categories of information where we've obtained your explicit consent or are otherwise lawfully permitted to do so (and then only for the particular purposes and activities for which the information is provided as set out in Schedule A). This may include information relating to:
a) information revealing racial or ethnic origin;
b) religious or philosophical beliefs;
c) trade union membership;
d) biometric data used for identification purposes including physical, physiological and behavioural identification;
e) information concerning health; and
f) data concerning a person's sex life and sexual orientation.
2.3 Where permitted by law we may process information about criminal convictions, criminal offences, related security details, alleged offences including unproven allegations, spent or previous convictions, or other details provided in relation to a criminal reference check or similar.
2.4 Where you have provided your consent for us to process your special category data, such as biometric data, you can change it any time by contacting us at email@example.com.
3 How we obtain information
3.1 Your information is made up of all the financial and personal information we collect and hold about you/ your business and the proprietors, officers and beneficial owners of that business and your transactions. It includes:
a) information you give to us when you register as a user of the Mettle app, submit an application, when you use the services and when you contact us;
b) information that we receive from third parties - including other NatWest Group companies (for example Mettle Ventures Limited),
(i) third parties who provide services to you or us,
(ii) credit reference, fraud prevention, law enforcement or government agencies,
(iii) industry and trade bodies,
(iv) other banks (where permitted by law); and
(v) energy companies and energy regulators where we have a legal basis to obtain this data.
c) information that we learn about you through our relationship with you and the way you operate your accounts and/or services, such as the payments made to and from your accounts and payees from your account and where you are identified as a payee, or invoices that you have created on the Mettle App;
d) information that we gather through cookies or similar tracking tools (eg pixels) when you use our website, the Mettle app, web app or in-app chat services. Advertising or targeting cookies or similar technologies may also be used, with your consent, to track your responses to particular adverts, messages or forms, which helps us to ensure we present you with the most relevant content in the future;
e) information that we gather from the technology which you use to access our services (for example device data location data from your device, or an IP address or mobile number) and how you use it (for example pattern recognition);
f) information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines. Information that you make public on social media eg Facebook, Twitter; and
g) information that is shared by Mettle Ventures Limited about an e-money customer who has agreed to become a business bank account customer.
4 Your rights
4.1 We want to make sure you are aware of your rights in relation to the personal information we process about you. We have described those rights and the circumstances in which they apply in the table below.
If you wish to exercise any of these rights, if you have any queries about how we use your personal information that are not answered here, or if you wish to complain to our Data Protection Officer, please contact us at 0800 0987 765.
Please note that in some cases, if you do not agree to the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you.
Table A - Your rights
You have a right to get access to the personal information we hold about you.
You have a right to rectification of inaccurate, personal information and to update incomplete, personal information.
If you believe that any of the information that we hold about you is inaccurate, you have a right to request that we restrict the processing of that information and to rectify the inaccurate personal information.
Please note that if you request us to restrict processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
You have a right to request that we delete your personal information.
You may request that we delete your personal information if you believe that:
we no longer need to process your information for the purposes for which it was Provided;
we have requested your permission to process your personal information where required for a particular purpose and you wish to withdraw your consent; or
we are not using your information in a lawful manners.
Please note that if you request that we delete your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
You have a right to request that we restrict the processing of your personal information.
You may request that we restrict processing your personal information if you believe that:
any of the information that we hold about you is inaccurate;
we no longer need to process your information for the purposes for which it was provided, but you require the information to establish, exercise or defend legal claims; or
we are not using your information in a lawful manner.
Please note that if you request that we restrict processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
You have a right to data portability.
Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have a right to receive the personal information you provided to us in a portable format.
You may also request us to provide it directly to a third party, if technically feasible. We’re not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
If you would like to request the personal information you provided to us in a portable format, please contact us at firstname.lastname@example.org.
You have a right to object to the processing of your personal information.
You have a right to object to us processing your personal information (and to request us to restrict processing) for the purposes described in Section C of Schedule A – Purposes of
Processing (below), unless we can demonstrate compelling and legitimate grounds for the processing, which may override your own interests, or where we need to process your information to investigate and protect us or others from legal claims.
Depending on the circumstances, we may need to restrict or cease processing your personal information altogether or, where requested, delete your information.
Please note that if you object to us processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
You have a right to object to direct marketing
You have a right to object at any time to processing of your personal information for direct marketing purposes, including profiling you for the purposes of direct marketing. For more information see Section 9.
You have a right to withdraw your consent.
Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
You have a right to lodge a complaint with the regulator.
If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer (03457 888 444. Overseas number: +44 3457 888 444. Relay UK 1800103457888444) who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the Information Commissioner's Office (ICO). For more information, visit ico.org.uk.
5 Changes to the way we use your information
5.1 From time to time we may change the way we use your information. When we do, we will communicate any changes to you and publish the updated Privacy Notice on our website and in the Mettle App. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.
5.2 Where we believe you may not reasonably expect such a change we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account and/or provide certain products and services to you. Where relevant, we may also include further details or information in relation to a particular service or activity at the point information is collected or the product or service is considered.
6 How we use and share your information with other NatWest Group companies
6.1 We will only use and share your information with other NatWest Group companies where it is necessary for us to lawfully carry out our business activities. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table in Schedule A - Purposes of processing.
7 Sharing with other third parties
7.1 We will not share your information with anyone outside NatWest Group except:
a) where we have your permission;
b) where required, whether directly or indirectly, for your product or service, which could include in relation to your welfare or accessibility requirements;
c) with law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory or trade bodies around the world;
d) with other banks and third parties in relation to fraud or financial crime or criminal activities; or in the event of suspected fraud or financial crime or criminal activities; or the monitoring, prevention and investigation of the same; with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
e) with third parties providing services to us, such as market analysis and benchmarking, agents and sub contractors acting on our behalf, such as the companies which print our cards, where advice or services are required or requested in connection with the bank's legal, regulatory or contractual rights or obligations relating to products or services provided to you;
f) where we have your permission with social media companies (in a secure format) or other third party advertisers and marketing companies so they can display or send relevant messages to you and others or compile information relevant to marketing to you about our products and services on our behalf. Third party advertisers may also use information about your previous web activity to tailor adverts which are displayed to you;
g) with credit reference agencies and with third parties in relation to debt collection and related activities;
h) where required for a proposed or actual sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business where such data is shared with a third party it is done so under strict duties of confidentiality;
i) in anonymised form as part of statistics or other aggregated data shared with third parties; or
j) where permitted by law, it is necessary for our legitimate interests or those of a third party, and it is not inconsistent with the purposes listed above.
7.2 If you ask us to, we will share information with any third party that provides you with services such as account information or payment initiation services. If you ask a third-party provider to provide you with these services, you are allowing that third party to access information we hold. We are not responsible for any such third party's use of the information shared with your agreement. Their use of the information will be governed by their agreement with you and any privacy statement they provide to you. When you agree to information being shared with a third party for provision of services, it should be noted that NatWest may charge the third party as part of a commercial arrangement to provide the service.
7.3 In the event that any additional authorised users are added to your account, we may share information about the use of the account by any authorised user with all other authorised users.
7.4 We will not share your information with third parties for their own marketing purposes without your permission.
8 Transferring information overseas
8.1 We may transfer your information to organisations in other countries (including to other NatWest Group companies) on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.
8.2 In the event that we transfer information to countries outside of the UK and the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where:
a) the UK has decided that the country or the organisation we are sharing your information with will protect your information adequately;
b) the transfer has been authorised by the relevant data protection authority; and/or
c) we have entered into a contract with the organisation with which we are sharing your information (on terms approved by the UK) to ensure your information is adequately protected. If you wish to obtain a copy of the relevant data protection clauses, please contact us at 0800 0987 765.
9 Marketing information
9.1 Where we have appropriate marketing permissions, we will send you relevant marketing information (including details of other products or services provided by us or other NatWest Group companies or other selected third parties which we believe may be of interest to you), by phone, email, text, push notification, online and other forms of electronic communication. We will not share your information with third parties for their own marketing purposes. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can change your preferences in the Mettle app, use the unsubscribe link in emails or you can tell us at any time by contacting us at email@example.com or via in-app chat.
10 Communications about your account
10.1 We will contact you with information relevant to the operation and maintenance of your account (including updated information about how we process your personal information), by a variety of means including via email, text message, push notification or in-app chat. If at any point in the future you change your contact details you should tell us promptly about those changes.
10.2 We may monitor or record calls, emails, text messages, webchat or other communications in accordance with applicable laws for the purposes outlined in Schedule A- Purposes of processing.
10.3 We may contact you if we have concerns about your economic wellbeing and offer support.
11 Credit reference and fraud prevention agencies
11.1 We may access and use information from credit reference and fraud prevention agencies when you open your account and periodically to:
a) manage and take decisions about your accounts;
b) prevent criminal activity, fraud and money laundering; and
c) check your identity and verify the accuracy of the information you provide to us.
11.2 Application decisions may be taken based solely on automated checks of information from credit reference and fraud prevention agencies and internal NatWest Bank records. You have rights in relation to automated decision-making, including a right to appeal if your application is refused. You can appeal by contacting firstname.lastname@example.org.
11.3 We will continue to share information with credit reference agencies about how you manage your Mettle business bank account including your account balance, payments into your account, the regularity of payments being made, credit limits and any arrears or default in making payments, while you have a relationship with us. This information will be made available to other organisations (including fraud prevention agencies and other financial institutions) so that they can take decisions about you, your associates and members of your household.
11.4 If false or inaccurate information is provided and/or fraud is identified or suspected, details will be passed to fraud prevention agencies. Law enforcement agencies and other organisations may access and use this information. Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
11.5 If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we and others may refuse to provide the services and financing you have requested, to employ you, or we may stop providing existing services to you.
11.6 A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
11.7 If you would like a copy of your information held by the credit reference and fraud prevention agencies we use, or if you want further details of how your information will be used by these agencies, please visit their websites or contact them using the details below. The agencies may charge a fee.
Credit reference agency and fraud prevention agency contact details
Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester LE3 4FS.
Phone: 0333 321 4043 or 0800 014 2955
12 How long we keep your information
12.1 By providing you with products or services, we create records that contain your information, such as customer account records, activity records and tax records.
12.2 We manage our records to help us to serve our customers well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.
12.3 Retention periods for records are determined based on the type of record, the nature of the activity, product or service, the country in which the relevant NatWest company is located and the applicable local legal or regulatory requirements. We (and other NatWest Group companies) normally keep customer account records for up to ten years after your relationship with the bank ends, whilst other records are retained for shorter periods. Retention periods may be changed from time to time based on business or legal and regulatory requirements.
12.4 We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if they're needed.
12.5 If you would like more information about how long we keep your information, please contact us at 0800 0987 765.
13.1 We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. For more information about the steps we are taking to protect your information please contact us at email@example.com.
14 Automated processing
14.1 In the course of providing products and services to you we may process your personal information by automated means, to include profiling. What this means is that we will use computer software to automatically evaluate your personal circumstances in order to identify risks or to predict certain outcomes. Examples of this type of processing include:
a) obtaining credit reference checks for certain products;
b) the assessment of account activity to detect and prevent financial crime and fraud; and
c) to provide personalised offers and create market insights.
14.2 Profiling is a useful tool as we try to understand our customers and their specific needs in more detail. It gives us the opportunity to use personal information to tailor our marketing and product offering but also to ensure that we achieve fair customer outcomes. However, our customers do have rights and entitlements in relation to automated processing and these are covered in Table A above. You also have the right to opt out of profiling for marketing purposes.
Schedule A - Schedule of purposes of processing
We will only use and share your information where it is necessary for us to carry out our lawful business activities. Your information may be shared with and processed by other NatWest Group companies. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table below:
In some limited cases and for specific purposes only, we may base the processing of your information on your consent. Where you have provided your consent for us to process your information, you can change your mind at any time and withdraw your consent by contacting us at firstname.lastname@example.org.
This may include processing in the form of:
) sending you relevant marketing information by email, text message or push notification (including details of other products or services provided by us, other NatWest group companies or other selected third parties, which we believe may be of interest to you);
b.) sharing your contact information with social media companies (in a secure format) or other third party advertisers and marketing companies so they can display or send relevant messages to you and others or compile information relevant to marketing to you about our products and services on our behalf. Third party advertisers may also use information about your previous web activity to tailor adverts which are displayed to you and they will rely on their own appropriate legal basis to do so;
c) using non-essential cookies and similar technology;
d) using certain special categories of information, for example biometric data for facial verification and information concerning health that you choose to provide to us through the form in the Mettle app if you experience a difficult situation, so that we can consider your welfare needs or accessibility requirements;
e) using other information that you choose to provide through the form in the Mettle aApp if you experience a difficult situation, so that we can support your welfare needs and economic wellbeing;
f) sharing information with any third party that provides you with services such as account information or payment initiation services; and
g) information shared by MettleVentures Limited about an e-money customer who has agreed to become a business bank account customer.
B Contractual necessity
We may process your information where it is necessary to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
a) assess and process applications for products or services; including applications where you are acting on behalf of one of our customers such as Power of Attorney;
b) provide and administer those products and services throughout your relationship with the bank, including opening, setting up or closing your accounts or products; collecting and issuing all necessary documentation; executing your instructions; processing transactions, including transferring money between accounts; making payments to third parties; resolving any queries or discrepancies and administering any changes. Calls to our Mettle customer ops team and communications to our mobile and online helplines may be recorded and monitored for these purposes;
c) manage and maintain our relationships with you and for ongoing customer service. This may involve sharing your information with other NatWest Group companies to improve the availability of our services, for example enabling customers to visit branches of other NatWest Group companies; and
d) communicate with you about your account(s) or the products and services you receive from us.
C Legal obligation
When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
a) confirm your identity;
b) perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
c) share data with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
d) share data about how you use your Mettle business bank account with credit reference agencies where we have a legal obligation;
e) share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
f) deliver mandatory communications to customers or communicating updates to product and service terms and conditions;
g) investigate and resolve complaints, and remediate errors occurring on your account or service;
h) conduct investigations into breaches of conduct and corporate policies by our employees;
i) manage contentious regulatory matters, investigations and litigation;
j) perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
k) provide assurance that the bank has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
l) investigate and report on incidents or emergencies on the bank's properties and premises;
m) coordinate responses to business-disrupting incidents and to ensure facilities, systems and people are available to continue providing services;
n) monitor dealings to prevent market abuse; and
o) accessibility and providing reasonable adjustments.
D Legitimate interests of the bank
We may process your information where it is in our legitimate interests to do so as an organisation or where it is in the legitimate interest of a third party.
a) We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:
(i) monitor, maintain and improve internal business processes, information and data, technology and communications solutions and services (for example confirmation of payee);
(ii) ensure business continuity and disaster recovery and respond to information technology and business incidents and emergencies;
(iii) ensure network and information security, including monitoring authorised users' access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime and protection of your personal data;
(iv) provide assurance on the bank's material risks and reporting to internal management and supervisory authorities on whether the bank is managing them effectively;
(v) perform general, financial and regulatory accounting and reporting; (vi) protect our legal rights and interests;
(vii) enable a proposed or actual sale, reorganisation, transfer or other transaction relating to our business; and
(viii) further our purpose to improve our customers' environmental impact, including the aim of working towards a carbon neutral position
b) It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually develop and improve as an organisation. This may require processing your information to enable us to:
(i) identify new business opportunities and to develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
(ii) understand our customers' actions, behaviour, preferences, transactions, savings, expectations, feedback and financial history in order to improve our products and services, develop new products and services, and to improve the relevance of offers of products and services by NatWest Group companies;
(iii) contact you to ask for feedback and conduct research about your experiences with us in order to monitor the performance and effectiveness of and identify opportunities to improve products and services;
(iv) assess the quality of our customer services and to provide staff training. Calls to our service centres, video calls and communications to our mobile and online helplines may be recorded and monitored for these purposes;
(v) perform analysis on customer complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
(vi) compensate customers for loss, inconvenience or distress as a result of services, process or regulatory failures;
(vii) identify our customers' use of third-party products and services in order to facilitate the uses of customer information detailed above;
(viii) combine your information with third-party data, such as economic data in order to understand customers' needs better and improve our services; and
(ix) consider your welfare needs including any adjustments, support or different products or services which might be suitable or protections to put in place.
c) It is in our interest as a business to manage our risk and to determine what products and services we can offer and the terms of those products and services. It is also in our interest to protect our business and customers and others by preventing financial crime, fraud and other criminal activities. This may include processing your information to:
(i) carry out financial risk assessments;
(ii) manage and take decisions about your accounts;
(iii) carry out checks (in addition to statutory requirements) on customers and potential customers, confirmation of payee data business partners and associated persons, including performing adverse media checks, screening against external databases and sanctions lists and establishing connections to politically exposed persons;
(iv) share data with credit reference, fraud prevention agencies and law enforcement agencies;
(v) trace debtors and recovering outstanding debt;
(vi) for risk reporting and risk management;
(vii) perform checks, monitoring and investigation to prevent and detect crime including in relation to money laundering, fraud, terrorist financing, bribery and corruption, trafficking and international sanctions. It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between banks and with law enforcement and regulatory bodies;
(viii) responding and participating in industry improvements and consultations; and
(ix) responding to and investigating complaints both raised directly to us, or raised through a third party such as a regulatory body.