Privacy
SMBC EMEA customers & third parties privacy notice
This Notice applies to individuals who are customers of SMBC entities located in Europe, Middle East and Africa (“SMBC EMEA”, “us”, or “we”), as listed at section 9 of this Notice, as well as to any persons who have provided their personal data to SMBC EMEA entities, including potential customers and third parties.
The Notice explains how SMBC EMEA entities comply with applicable data protection and privacy laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), across all jurisdictions where it provides and receives products and services.
Types of Data Collected:
We collect various types of personal data to provide our services. The categories of data we collect include:
Contact Information: This includes details such as your name, address, email address, and telephone number.
Identity Information: This includes information like your date-of-birth, nationality, identification numbers (e.g., passport or national ID), and other identifiers.
Financial Information: This includes your bank account details, transaction history, credit history, and other financial data.
Image Capturing: This refers to images and video recordings captured by CCTV systems for security purposes.
Communications Information: This includes records of your communications with us, such as emails, and other correspondence. This may also include audio recordings of your interactions with SMBC EMEA entities, where required by regulations e.g. MiFID II, through collaboration tools and communication platforms, as well as phone calls or voice messages.
Account Access Information: This encompasses details related to your access and use of our online services, including login credentials and activity logs.
Relationship Information: This includes information about your relationship with us, such as your account history, preferences, and interactions with our services.
Legal Basis for Processing:
We collect and process personal and, in some instances, special category data for various purposes, each aligned with specific legal bases to ensure compliance with data protection regulations. The purposes for which we process your data include:
Legal Obligation:
To comply with legal and regulatory requirements, such as reporting obligations, tax laws, and other statutory requirements.
Contractual Obligations:
To fulfil our contractual commitments, including providing services, managing accounts, processing transactions, and responding to inquiries related to contracts.
Public Interest Tasks:
To perform tasks carried out in the public interest or in the exercise of official authority, such as public health and safety measures.
Legitimate Interests:
To pursue our legitimate business interests, which include:
Business Management: Ensuring efficient and effective management of our operations.
Compliance: Adhering to internal policies and external regulations.
Audits: Conducting internal and external audits to ensure accuracy and compliance.
Website Administration: Managing and improving our website and online services.
Professional Advice: Seeking and providing professional advice to support business decisions.
Marketing Communications: Promoting our products and services to existing and potential customers via email, post, etc. . For opt out information – see Data Subject Rights
Risk Management: Identifying, assessing, and mitigating risks to our business.
Explicit Consent:
To process personal data for specific purposes where explicit consent has been provided by the data subject
Withdrawing Consent – see Data Subject Rights
Data Sharing and Disclosure:
We may share personal data with various entities and individuals to fulfil our obligations and provide services. The categories of recipients include:
Within the Sumitomo Mitsui Financial Group (SMFG) to ensure efficient and effective management of our operations and services.
Credit Reference and Third-Party Agencies for purposes such as Anti-Money Laundering (AML), Know Your Customer (KYC), and Politically Exposed Person (PEP) checks.
Third Parties Who Introduced Customers, Suppliers, or Agents:
Personal data may be shared with third parties who have introduced customers, suppliers, or agents to us, to facilitate business relationships and transactions.
Service Providers:
We may engage service providers to assist with various functions, including:
IT systems
Print services
Professional Advisers:
Personal data may be disclosed to professional advisers such as auditors and lawyers to obtain expert advice and ensure compliance with legal and regulatory requirements.
Public Authorities:
We may share personal data with competent authorities, including:
Tax authorities
Courts
Regulators
Government agencies
In Case of Corporate Changes:
In the event of corporate changes such as mergers, sales, or asset transfers, personal data may be disclosed to relevant parties involved in the transaction.
Cross border transfers of your personal information:
Where we transfer your personal information across jurisdictions, we ensure that such transfers comply with all relevant data protection laws or regulations. For instance, when transferring your personal information from/to a third party in another jurisdiction, we are required to check and ensure that the jurisdiction to which it is being transferred for processing purposes, provides an adequate level of data protection otherwise we must implement safeguards to protect your personal information. These safeguards may include standard contractual clauses approved by local data protection authorities.
Data Retention:
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, Specifically:
Personal data is retained for the Duration of the Relationship with the data subject, including the provision of services, management of accounts, and fulfilment of contractual obligations.
Legal and Regulatory Requirements:
After the relationship ends, personal data may be retained for a period required by applicable laws and regulations, such as tax, company, and financial services regulations.
Ongoing Correspondence, Claims, or Investigations:
Where there is ongoing correspondence, claims, or investigations, personal data may be retained for a longer period to address and resolve these matters effectively.
We regularly review our data retention policies to ensure that personal data is not kept longer than necessary and is securely deleted or anonymised when no longer required.
Data Subject Rights:
Under EMEA data protection regulations, individuals have various rights regarding their personal data. These rights ensure transparency and control over how personal data is processed. The rights include:
Right of Access: the right to request access to your personal data that we hold. This includes information about how your data is processed and the purposes of processing.
Right to Rectification:
If you believe that your personal data is inaccurate or incomplete, you have the right to request correction or completion of your data.
Right to Erasure:
You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or if you withdraw your consent.
Right to Restrict Processing:
You have the right to request the restriction of processing your personal data in specific situations, such as when you contest the accuracy of the data or object to the processing.
Right to Data Portability:
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request the transfer of your data to another controller.
Right to Object:
You have the right to object to the processing of your personal data based on legitimate interests, public interest tasks, or direct marketing purposes.
Right to Withdraw Consent:
If you have provided explicit consent for the processing of your personal data, you have the right to withdraw your consent at any time. To withdraw your consent, please contact us using the information provided in the "Contact Information for Complaints and Data Subject Rights" section of this Privacy Notice.
Right to Lodge a Complaint:
You have the right to lodge a complaint with a supervisory authority if you believe that your rights under data protection laws or regulations have been violated.
Right to be Informed:
You have the right to be informed about the collection and use of your personal data, including the purposes of processing, retention periods, and who the data will be shared with.
Right to Automated Decision-Making and Profiling:
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect you.
To exercise any of these rights, please contact us using the information provided in the "Contact Information for Complaints and Data Subject Rights" section of this Privacy Notice. We will respond to your request in accordance with applicable data protection laws.
Security Measures:
We take the protection of your personal data seriously and implement a variety of security measures to safeguard it from unauthorised access, disclosure, alteration, or destruction. As part of this commitment, we adhere to the principles of Data Protection by Design and Default and have put in place technical and organisational measures to safeguard your Personal Information. We conduct Data Protection Impact Assessments if any proposed processing of personal data could result in a high risk to the rights and interests of Data Subjects, these include but not limited to:
Automated Processing, including Profiling, which leads to decisions that have a legal effect
Processing of any Sensitive Data
Processing of data on a large scale
Our security measures include:
Access Controls:
We restrict access to personal data to authorised personnel only. Access is granted based on the principle of least privilege, ensuring that individuals only have access to the data necessary for their role.
Encryption:
We use encryption technologies to protect personal data both in transit and at rest. This ensures that data is securely transmitted and stored, reducing the risk of unauthorised access.
Firewalls and Intrusion Detection Systems:
Our network is protected by firewalls and intrusion detection systems that monitor and prevent unauthorised access attempts.
Regular Security Audits:
We conduct regular security audits and assessments to identify and address potential vulnerabilities in our systems and processes.
Data Anonymization and Pseudonymization:
Where appropriate, we anonymise or pseudonymise personal data to further protect individuals' privacy.
Physical Security:
Our facilities are equipped with physical security measures, such as access controls, surveillance systems, and secure storage areas, to protect personal data from physical threats.
Employee Training:
We provide ongoing training to our employees on data protection and security best practices to ensure they understand their responsibilities in safeguarding personal data.
Incident Response Plan:
We have an incident response plan in place to quickly and effectively respond to any data breaches or security incidents. This includes notifying affected individuals and regulatory authorities as required by law or regulation.
By implementing these security measures, we aim to protect your personal data from unauthorised access, disclosure, alteration, or destruction, ensuring its confidentiality, integrity, and availability.
Changes to the Privacy Notice:
We may update this Privacy Notice periodically to reflect changes in our practices, legal or regulatory requirements, or other factors. The updated Privacy Notice will take effect on the date specified in the relevant notice. We encourage you to review this Privacy Notice regularly to stay informed about how we protect your personal data.
Contact Information for Complaints and Data Subject Rights:
SMBC Company or Office | Contact Information for Complaints and Data Subject Rights | Applicable Data Protection, Privacy Laws and Regulations |
SMBC Bank International ADGM Branch | ADGM Data Protection Regulations 2021 and associated rules and guidance | |
SMBC Advisory Services Saudi Arabia | kazutomo_yoshida@sa.smbcgroup.com | Data Protection Law issued by Royal Decree (M/19) issued on 19/2/1443 (corresponding to 16/9/2021) and as amended by Royal Decree (M/148) issued on 5/9/1444 (corresponding to 23/3/2023) and its Implementing Regulations |
SMBC Bank EU AG Amsterdam Branch | EU General Data Protection Regulation (2016/679) (GDPR) | |
SMBC Bank EU AG Dublin Branch | EU General Data Protection Regulation (2016/679) (GDPR) and the Data Protection Act 2018 (Ireland) | |
SMBC Bank EU AG Frankfurt/Düsseldorf | EU General Data Protection Regulation (2016/679) (GDPR), Bundesdatenschutzgesetz (BDSG), and other applicable local laws | |
SMBC Bank EU AG Paris Branch | EU General Data Protection Regulation (2016/679) (GDPR) and the Act n°7817 of 6 January 1978 on information technology, data files and civil liberties | |
SMBC Bank International plc and Sumitomo Mitsui Banking Corporation, London Branch | EU General Data Protection Regulation (2016/679) (GDPR) and the UK Data Protection Act 2018 | |
SMBC Bank International plc Paris | EU General Data Protection Regulation (2016/679) (GDPR) and the Act n°7817 of 6 January 1978 on information technology, data files and civil liberties | |
SMBC EU AG Madrid Branch | EU General Data Protection Regulation (2016/679) (GDPR) | |
SMBC EU AG Milan Branch | EU General Data Protection Regulation (2016/679) (GDPR) and the Legislative Decree no. 196 of June 30, 2003 as amended by the Legislative Decree No. 101 of August 10, 2018 | |
SMBC EU AG Prague Branch | EU General Data Protection Regulation (2016/679) (GDPR) and any applicable data protection law in the Czech Republic | |
SMBC Leasing (UK) Limited and SMBC Leasing (UK) Limited (Niederlassung Frankfurt) | EU General Data Protection Regulation (2016/679) (GDPR) and the UK Data Protection Act 2018 | |
SMBC Nikko Capital Markets Limited and SMBC Derivative Product Limited | EU General Data Protection Regulation (2016/679) (GDPR) and the UK Data Protection Act 2018 |
Sumitomo Mitsui Banking Corporation (DIFC Branch – Dubai) | DIFC Data Protection Law, DIFC Law No.5 of 2020 and its associated Regulations | |
Sumitomo Mitsui Banking Corporation (QFC Branch – Qatar) | QFC Data Protection Regulations 2021, QFC Data Protection Rules 2021, and associated Guidance Notes | |
Sumitomo Mitsui Banking Corporation Brussels Branch | EU General Data Protection Regulation (2016/679) (GDPR) and any applicable local regulation | |
Sumitomo Mitsui Banking Corporation Düsseldorf Branch | EU General Data Protection Regulation (2016/679) (GDPR), Bundesdatenschutzgesetz (BDSG-new), and other applicable local laws | |
Sumitomo Mitsui Banking Corporation, Cairo Representative Office | Personal Data Protection Law No. 151 of 2020 and Egyptian Data Protection Law (DPL) | |
Sumitomo Mitsui Banking Corporation, Istanbul Representative Office | Law on the Protection of Personal Data (KVKK) | |
Sumitomo Mitsui Banking Corporation, Johannesburg Representative Office | SMBCPrivacyOfficeZA@za.smbcgroup.com | South Africa Protection of Personal Information Act, 2013 (POPIA) and the South Africa Promotion of Access to Information Act, 2000 (PAIA) |
Sumitomo Mitsui Finance Dublin | EU General Data Protection Regulation (2016/679) (GDPR) and the Data Protection Act 2018 (Ireland) |
10. Key Definitions:
Term | Definition |
Automated Decision Making | Decisions made by automated means without human involvement, often linked to profiling. |
DPIA (Data Protection Impact Assessment) | An assessment to be conducted prior to all new/proposed uses of personal data. |
Data Controller | The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. |
Data Processor | The natural or legal person, public authority, agency, or other body which processes data on behalf of the Data Controller. Although they are often third-party providers, a Data Controller can also be a Data Processor. |
Data Subject | An individual who is the subject of Personal Data. |
High Risk Processing | Processing activities that are likely to result in a high risk to the rights and freedoms of individuals, often requiring a DPIA. |
Large Scale Processing | Processing of Personal Data that involves a large number of Data Subjects, volume of data, or geographic scope. |
Personal Data / Personally Identifiable Information (PII) | Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, ID number, location data, or other identifiers. |
Processing | Any operation or set of operations performed on Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction. |
Profiling | Any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that person’s performance at work, economic situation, health, preferences, interests, reliability, behaviour, location, or movements. |
Sensitive Personal Data / Special Category Personal Data / Sensitive Personally Identifiable Information (SPII) | Special Categories of Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic or biometric data; and records of criminal offences/convictions. |