Privacy Notice
Kuwait Finance House PLC – Customers and Website Visitors Privacy Notice
1. Introduction
Kuwait Finance House PLC (collectively referred to as "KFH PLC", "we", "us" or "our" in this Privacy Notice) takes its privacy obligations very seriously and is always committed to protect the privacy and security of your Personal Data.
Where in this Privacy Notice we refer to "our", "us" or "we", we are referring to KFH PLC or, where we specifically flag this to be the case, a group entity of KFH PLC which is acting as a data controller and in each case where that entity is carrying out the processing of Personal Data. Unless otherwise stated, the data controller for the purposes of this notice is KFH PLC.
2. Important Information and Who We Are
Purpose of this Privacy Notice
This Privacy Notice describes how we collect and process your Personal Data in connection with our business and in accordance with relevant applicable laws and regulations where you:
(a) are a prospective, current or former customer (Customers); or
(b) visit our website (regardless of where you visit it from) (Website Visitors).
We also include within the term "Customer" any authorised signatory on a Customer's account, any trustees, executors or attorneys who undertake banking or deal with us on behalf of a Customer, and other related people for example directors, partners, members and trustees of Customers.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you, so that you are fully aware of how and why we are collecting and processing your Personal Data.
Controller
KFH PLC is the data controller responsible for determining the purposes for which and how we collect and process your Personal Data, whether collected directly from you or about you from a third party. In order to do so, we are also required to keep you informed about this Personal Data collection and processing as a key transparency requirement under the UK GDPR.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice or our data protection practices, please contact our DPO using the following details:
Post: 35 Portman Square, London, W1H 6LR.
Email: kfhplc.dataprotection@kfh.com
3. Personal Data We Collect and Process
Personal Data means any information relating to an identified or identifiable natural person from which that person can be identified either directly or indirectly. It does not include data where the identity has been removed (anonymous data).
We collect, use, store, transfer and process the following Personal Data about you:
| Type of Individual | Types of Personal Data |
|---|---|
| Prospective, current and former Customers |
(a) Contact details including your name, address, email address, telephone number, date of birth and nationality. (b) Identity data including your full name, date of birth, employment status, National Insurance number, address, ID documents, signature and biometric information. (c) Financial data including your income, credit history, savings and assets. (d) Information about your relationship with us including the services or products we provide to you, payment history, transaction records, payments in and out of your account, records of advice provided, and complaint and dispute information. (e) Credit risk assessment information such as credit history, credit risk rating and transactional behaviour. (f) Records of correspondence between us and you, for example via email and call logs, and correspondence with third-party organisations. (g) Regulatory data including anti-money laundering, sanctions, fraud and other due diligence checks, suspicious or unusual activity and information about related parties. (h) Criminal offence data including details of criminal convictions and offences. (i) Marketing information such as services received and marketing preferences. (j) Technical information about your device and cookies such as IP address, technical specifications and cookies used to recognise you and tailor content. |
| Website Visitors |
(a) Usage data including information about how you use our website and services. (b) Technical information includes internet protocol (IP) address, browser type and version, time zone setting and location, geographical location, referral source, entry page, exit page, duration of visit, number of page views, route taken through the website browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. |
4. How We Collect Your Personal Data
Personal Data you provide to us: This covers the Personal Data that you provide to us when enquiring or corresponding with us (whether via email, telephone or otherwise) or requesting and receiving services or products from KFH PLC. This includes the Personal Data you provide to us when completing forms and contracts we require you to complete to receive services or products from us.
Personal Data we collect from sources other than you: This covers Personal Data that is provided to us, usually electronically, or in some cases via other means by a third party. This includes:
(a) Information you request that we collect for you for example details of accounts with other entities; and
(b) Information we request from third parties for example in relation to credit checking, and the prevention or detection of fraud or other illegal activities.
When you apply for a service or product from KFH PLC, the relevant application form or agreement will set out any further details that are necessary to confirm the Personal Data we may collect and hold about you.
5. How We Will Use Your Personal Data
In accordance with data protection legislation, we ensure that we only use your Personal Data (as described in this Privacy Notice) where we have a lawful basis for doing so. The lawful bases upon which we rely are set out below. Depending upon the circumstances, it is possible that more than one lawful basis can apply to a situation.
(a) Contract: we use your Personal Data to the extent necessary for us to provide the products and services to you on the terms agreed between us. This also covers anything you ask us to do prior to entry into a contract with us, such as processing an application or payment transaction, or providing a quote for a product or service.
(b) Meeting a Legal Obligation: we use your Personal Data where necessary to comply with the legal obligation imposed upon us from time to time under the applicable laws. For example, we process your Personal Data for "Know Your Customer" checks or for tax reporting and monitoring transactions as required to by regulators.
(c) Public interest: we use your Personal Data where we believe it is necessary for the performance of a task in the public interest (for example to prevent and detect crime).
(d) Legitimate Interests: this means that, on balance, we consider that it is necessary to use your Personal Data for our or a third party's legitimate interests. When relying on this lawful basis we are required to balance your interests, rights and freedoms as an individual against the legitimate interest we are trying to pursue. If we can achieve the same result without processing your Personal Data, we will adopt that approach.
(e) Consent: in limited circumstances, we may use your Personal Data where you have provided your consent for us to do so.
6. Situations in Which We Will Use Your Personal Data
We use the Personal Data that you provide to us for the following purposes:
| Type of Individual | Purpose |
|---|---|
| Prospective, current and former Customers |
(a) To provide you with any information, quotes or other requests you make to us, including processing applications for our products and services. (b) To provide our products and services to you and to carry out your instructions (for example to undertake payment requests). (c) To comply with the terms of any agreement we have entered into with you for the provision of our products or services, including our General Terms and Conditions governing Accounts and Services. (d) To provide you with access to online banking, mobile banking and online product platforms. (e) To manage risk and security. (f) To notify you of any changes to our products and/or services. (g) To comply with legal obligations such as "know your customer" checks, tax reporting, credit checks and the prevention or detection of fraud and financial crime. (h) To correspond with intermediaries, other lenders, solicitors and other third parties. (i) To audit or monitor our processes, systems and controls to ensure compliance with laws, rules and regulations. (j) For analytical and statistical purposes to help us improve our business and services. (k) To provide marketing information about services or products similar to those you have already enquired about or consented to receive. |
| Website Visitors |
(a) To administer and protect our business and our website, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. (b) To deliver relevant website content and use data analytics to improve our website, services, marketing, customer relationships and experiences. (c) For analytical and statistical purposes to help us improve our business and services. (d) To make suggestions and recommendations about services that may be of interest to you. |
When you request or receive a service or product from KFH PLC, the relevant application form or agreement will set out the Personal Data we will need from you.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate a website visitor's usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.
7. Special Categories of Personal Data and Criminal Offence Data
We may process Special Category Personal Data about you. Special Categories of Personal Data are racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of data concerning health or data concerning a person's sex life or sexual orientation.
We may also process Criminal Offence Data about you. Criminal Offence Data is information that relates to criminal convictions or offences including cautions.
Where we process this type of data about you we will do so if one of the following conditions is met:
(a) where you have provided your consent;
(b) where we need to protect the vital interests (i.e., the health and safety) of you or another person and you are incapable of providing consent;
(c) where you have already made this information public;
(d) where necessary for the purpose of or in connection with any actual or prospective legal proceedings, for obtaining legal advice or for establishing, exercising or defending legal rights;
(e) where necessary for archiving, scientific, historical research or statistical purposes, with appropriate safeguards and in the public interest; and/or
(f) substantial public interest grounds.
We use Special Category Data to ensure services are delivered appropriately and to monitor equality, diversity and inclusion. In the case of certain health information, this will be needed for health and safety purposes and/or to make appropriate adjustments for you when you visit our premises.
To process Special Category Data or Criminal Offence Data, we must have both a lawful basis for the processing and either legal authority or official authority for the processing. We will apply additional security and confidentiality measures when processing your Special Category and Criminal Offence Data.
Where provision of this information is optional, we will make this clear at the point of collection and we will ask for your specific informed consent at the time of collecting this type of data. Where you provide consent for us to process your Personal Data, you have the right to withdraw this consent at any time.
There will be times where we will not need your consent to process (including sharing) this type of data. This will apply where we are permitted or required to do so by law, for example under health and safety laws.
8. Change of Purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to have an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent where this is required or permitted by law.
9. If You Fail to Provide Personal Data
If you fail to provide certain Personal Data when requested, we may not be able to perform the agreement we have entered into with you (such as offering you an account), or we may be prevented from complying with our legal obligations (such as "know your customer" checks). This may prevent us from being able to offer, or continue to offer, you the service or product. We will notify you if this is the case.
10. Marketing
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising.
Cookies
Please note that KFH PLC does not use cookies for any direct or indirect marketing purposes including digital marketing via third parties. We do not share your Personal Data with any third party except where required for website functionality and support purposes.
Promotional offers from us
We may use your identity and contact details, technical and usage data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products or services and offers may be relevant for you.
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us, and you have not opted out of receiving that marketing.
Third party marketing
We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.
Opting Out
You can ask us to stop sending marketing communications at any time by following the optout links within any marketing communications sent to you, or by contacting us using the contact details information set out at section 18.
11. CCTV
We may operate CCTV systems at our premises for the purpose of security and the prevention and detection of crime. For further information about our use of CCTV, please see our CCTV policy available on request.
12. Sharing Your Personal Data
We may share your data with third parties, including third-party service providers and other entities in our group of companies.
We require third parties to respect the security of your data and to treat it in accordance with applicable data protection laws.
We will transfer your Personal Data outside the UK. When we do, you can expect a similar degree of protection in respect of your Personal Data, as afforded in the UK. We will only transfer your Personal Data either to countries that have been deemed to provide an adequate level of protection for your Personal Data, or where we have used specific contracts approved for use in the UK which give Personal Data the same protection it has in the UK.
If you would like further information on the specific mechanism used by us when transferring your Personal Data outside of the UK please contact us using the contact details information set out at section 2.
13. The KFH PLC Group
We share your Personal Data with our group companies including our parent company, based in Bahrain (Kuwait Finance House Bahrain B.S.C (C)) and ultimate parent company based in Kuwait (Kuwait Finance House) who will be acting as data controllers and who will process your Personal Data in accordance with their respective following privacy notices:
We do this to manage our workforce, benefit from centralised IT systems and to allow us access to larger, more sophisticated systems to process and protect your Personal Data. Kuwait Finance House Bahrain B.S C (C) and Kuwait Finance House Group of Companies will process your Personal Data in accordance with the following privacy notices:
(a) Kuwait Finance House Bahrain: available here.
(b) Kuwait Finance House: available here.
In order to ensure your Personal Data is adequately protected in accordance with the UK laws and regulatory requirements, we have put in place with each company EU Standard Contractual Clauses and a UK Data Protection Addendum in line with the guidance from the UK Information Commissioner's Office.
If you require further information about our sharing of your Personal Data, please contact us using the contact details information set out at section 18.
14. Other Third Parties
We share your Personal Data with other third parties in the following circumstances.
Card payments in the UK
Where you have a Visa card with us, we share your Personal Data with Visa Europe Limited to allow payment transactions or ATM withdrawals to take place. In addition, your Personal Data will be processed by the person you are paying (on a payment transaction) or the ATM provider (on a withdrawal). Our agreement with Visa Europe Limited places obligations upon us and Visa Europe Limited to process data in accordance with applicable data protection laws of the relevant jurisdictions.
Card payments outside of the UK
Where you make a payment transaction or use an ATM withdrawal service outside of the UK, we will need to transfer and share your Personal Data to facilitate that payment as necessary.
15. Data Security
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
16. Data Retention
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
17. Your Rights
The UK GDPR gives you certain rights in relation to your Personal Data. In certain circumstances, you have the right to:
Request access to your Personal Data
This is commonly known as a "data subject access request". This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
Request to rectify the Personal Data that we hold about you
This enables you to have any incomplete or inaccurate information we hold about you corrected, although we may need to verify the accuracy of any new data you provide to us;
Request erasure of your Personal Data
This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with applicable laws. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
Object to processing of your Personal Data
Where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts upon your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes or processing using automated decision making or profiling. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
Request the restriction of processing of your Personal Data
This enables you to ask us to suspend the processing of Personal Data about you in the following scenarios:
(a) if you want us to establish its accuracy;
(b) where our use of the data is unlawful because a lawful basis is not met, but you do not want us to erase it;
(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
(d) you have objected to our use of your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your Personal Data to you or to another party
We will provide this in a commonly used format. This right only applies to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you;
Withdraw consent at any time
In the limited circumstances when we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent or any processing we carry out in reliance on another legal basis. If you withdraw your consent, we may not be able to provide certain products or services to you.
Exercising your rights
If you would like to exercise any of the rights set out above, please contact us as set out in section 2.
Please note that these rights are not absolute and may be subject to conditions or exceptions in certain circumstances. We will advise you of any such conditions or exceptions in the event that they apply to your request.
Applicable laws may allow or require us to refuse to provide you with access to some or all of the Personal Data that we hold about you, or we may have destroyed, erased, or made your Personal Data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Personal Data, we will inform you of the reasons why.
No fee usually required
You will not have to pay a fee to access your Personal Data (or to exercise any other of your rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, in those circumstances we could refuse to comply with your request.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
18. Complaints
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. Their contact details are below. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
19. Changes to this Privacy Notice and informing us of changes
We keep our privacy notice under review and reserve the right to update it at any time. We may also notify you in other ways from time to time about the processing of your Personal Data. This version was last updated on 20 January 2025.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.