Privacy notice

1. Who we are
2. The personal information that we process
3. How we get personal information
4. Why we process personal information and on what legal basis
5. Sharing personal information with third parties
6. Transferring personal information internationally
7. Communicating with you
8. How long we keep your personal information
9. Your rights
10. Marketing and other communication
11. Security
12. Cookies and similar technologies
13. Contact us
14. Other terms and conditions
15. Our sites and children
16. California residents
17. Changes to this Privacy Notice

Schedule A – Controllers and Data Protection Authorities

We are NatWest Markets, a member of the NatWest Group. You can find more information about NatWest Group companies (referred to as ‘Affiliates’) in the ‘About Us’ section of our website: www.natwestgroup.com. 

This Privacy Notice:

• applies to all the personal information processing activities we carry out at any of our legal entities and branches (which we’ve identified as ‘Controller Entities’ in the table in Schedule A). From now on we’ll refer to any or all of these as ‘NatWest Markets’, ‘we’, ‘us’ or ‘our’. And when we say ‘you’ or ‘your’ it means a prospective, existing or former customer of NatWest Markets
• explains how we collect and use ‘Personal information’, which means information about an individual that can be used – either by itself or combined with other information – to identify that person
• applies to all interactions with our customers and visitors, including use of our websites, visits to our locations, events, and the like. There’s more detail about this in Section 3 below
• doesn’t apply to third-party websites accessible through our websites.

For individuals, this Privacy Notice applies to our processing of your personal information. 

For companies and organisations, this Privacy Notice applies to our processing of any personal information you provide to us or that we otherwise process in connection with the products and services we provide to you. That includes personal information about your legal representatives, directors, employees, authorised personnel, beneficial owners, trustees, fund managers, partners, other associates, or people exercising control over your company or organisation. In respect of any personal information that you provide to us, please ensure that you:

• have satisfied a statutory ground under data protection law permitting you to disclose or transfer the relevant personal information to us for us to use in accordance with this Privacy Notice
• have notified the relevant individual that you are providing their personal information to us and explained the reasons for this and/or have obtained their consent where required by Applicable Regulations (defined in Section 6 below)
• provide the relevant individual with a copy of this Privacy Notice where required by Applicable Regulations
• promptly notify the relevant individual of any changes to this Privacy Notice that we notify you of, and
• provide personal information that is accurate and up to date, and promptly notify us of any changes.

We might update our Privacy Notice from time to time and, if we do, we’ll communicate the changes to you and publish the updated Privacy Notice at https://www.natwest.com/corporates/your-privacy.html. We encourage you to visit our website regularly for an update about what we use your personal information for and the rights that you have.

We collect and process various categories of personal information throughout your relationship with us. We will limit the collection and processing to information that’s necessary to achieve one or more legitimate purposes outlined in this notice. 

Personal information[1] includes, but isn’t limited to:

• basic personal information, including real name, alias, postal address, email address and phone numbers
• Know Your Customer (KYC) records, such as passport, drivers licence, social security/tax number or other similar identifiers, date and place of birth, Politically Exposed Person (PEP) details and criminal records
• financial information, including account and transactional information and history
• education and employment information, such as your professional background, employer and role
• products and services provided by NatWest Group companies
• visual images and personal appearance (such as copies of identity cards or surveillance camera images)
• online and social media information and activity, based on your interaction with us on our websites, applications and social media profiles, including for example, your Internet Protocol (IP) address, device information, location coordinates, your communications with us and any information or content you’ve visited or downloaded.

We might also process more sensitive categories of information for specific and limited purposes. For example, PEP checks might reveal information that indicates a person’s political opinions. Also, when we organise client events, we might collect personal data about dietary or accessibility requirements that could indicate religious or philosophical beliefs, health details or medical conditions. We’ll only process special categories of information if we have your consent or are lawfully permitted to do so. 

We might use biometric technologies, such as voice or facial recognition, for identification and verification purposes and to help prevent fraud or other crimes. For example, we might use mobile apps that use facial recognition technology as a security control, and telephony systems that use voice recognition.

Where permitted by law, we might process information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as carrying out checks to prevent and detect crime and to comply with laws on money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This might involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between banks and with law enforcement and regulatory bodies.

Your personal information includes anything we collect and hold about you. It includes information:

• you give to us by, for example, filling in forms or communicating with us - face-to-face, by phone, letter, email or other forms of electronic communication
• we gather from your use of our websites, including mobile websites and applications
• we gather when you look at our online advertisements and emails
• we receive from third parties – for example, our Affiliates, your employer, any organisation where you’re an ultimate beneficial owner, your agents or representatives, or third parties who provide services to you or us
• we learn about you through our relationship with you and the way you operate your products and/or services
• we gather from your visits to our locations or attendance at our events
• we gather and learn from your interactions with us through social media, for example LinkedIn, Twitter and YouTube
• we gather from the technology you use to access our services (for example location data from your mobile phone, or an IP address or telephone number) and how you use it (for example pattern recognition)
• we gather from publicly available sources, such as the media (including social media), electoral and company registers and online search engines.

To fulfil our Customer Due Diligence (CDD) or Know Your Customer (KYC) obligations, by confirming and verifying the identity of individual customers (natural persons) and individuals who are the ultimate beneficial owners (UBOs) and representatives of institutional clients. We’re required to screen those individuals’ details against government, supranational bodies (such as the European Union and the United Nations Security Council) and/or law enforcement agency sanctions lists and other legal restrictions.

We are required to identify individual clients and UBOs that are Politically Exposed Persons (PEPs).

We have to complete these activities during the application / onboarding stage for new or prospective customers and on an ongoing basis for existing customers.

Our legal basis for processing: 

The processing is necessary to comply with a legal or regulatory obligation.

This can include:

• laws covering anti-money laundering and the prevention of terrorist funding
• where there’s a statutory basis underpinning a regulatory regime and which requires regulated organisations to comply.

To assess applications for products and services, to obtain and record the necessary account opening documents - including the correct customer contact details - and setting up customers and their employees and representatives with the necessary authorisations and permissions (such as systems access).

Our legal basis for processing: 

For individual customers, the processing is necessary to enter into a contract

For corporate and institutional customers, the processing is necessary for our legitimate interests. We need to collect all the necessary personal data about the employees and representatives.

So that we’re able to provide you with products and services, relationship management, trade execution, statements and other operational communications, as well as resolving any queries and complaints.

Our legal basis for processing [2]:

For individual customers, the processing is necessary to fulfil a contract, or is necessary for our legitimate interests to manage our customer relationships. 

For corporate and institutional customers, the processing is necessary for our legitimate interests. We need to process some personal data about employees and representatives, such as contact information, to manage the customer relationship.

Communicating the following to you:

(1) details of products and services we think might be of interest to you or your business (which might include products and services offered by other NatWest Group companies)

(2) strategy views across FX, credit and economics, as well as sales commentary and trade ideas.

We are data-driven and will analyse data gained from your interactions and engagements with us to gain insights and identify trends. We will use this data to enhance and personalise the communications we send to you. 

We will not share your details with third parties for their direct marketing purposes.

Our legal basis for processing:

The processing is necessary for our legitimate interests, though you can opt out of receiving marketing communications at any time.

So that we can organise and manage events, such as webinars, conference calls and in-person events.

Our legal basis for processing:

The processing is necessary for our legitimate interests, so we can invite individuals to our events, and run those events.

Also:

With the individual’s explicit consent. For in-person events, we might need to ask for information about attendees’ dietary and/or mobility requirements. In some cases this could result in us processing personal information that infers an individual’s religious or philosophical beliefs, health details or medical conditions. This information will only be used to meet those attendees’ requirements during the event, after which it will be deleted.

Conducting market, product, industry or customer satisfaction research, normally by email.

Our legal basis for processing:

The processing is necessary for our legitimate interests – we want to get the views of our customers on how we are performing and how we can improve, and to gather their thoughts and opinions on wider matters.

So that we can comply with our legal and regulatory obligations under applicable law. This includes complying with non-binding codes of practice, guidance, and to assist in law enforcement and investigations by relevant authorities.

Our legal basis for processing:

The processing is necessary for compliance with a legal obligation, including but not limited to trade reporting, tax reporting and market abuse requirements, and other laws relating to financial markets and instruments.

So that we’re able to run our business effectively, including:

• monitoring, maintaining and improving our processes, procedures and technology
• conducting internal investigations, preventing fraud and protecting against illegal activity
• ensuring business continuity and disaster recovery, and responding to incidents 
• ensuring network and information security
• to assess the quality of our client services and to provide staff training
• performing general, financial and regulatory accounting and reporting
• managing and monitoring our properties, including using surveillance cameras, for security and safety purposes
• enabling a proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business.

Our legal basis for processing:

The processing is necessary for our legitimate interests, so that we can run our business and serve our customers effectively.

To determine what products and services we can offer and under which terms, to prevent financial crime, and to protect our reputation. 

This might include processing your personal information to:

• carry out checks (in addition to statutory requirements), including adverse media checks
• carry out risk reporting and risk management
• monitor and/or record activities to evidence transactions, trades and instructions.

Our legal basis for processing:

The processing is necessary for our legitimate interests, so that we can manage our risks effectively.

Litigation proceedings such as claims, actions, proceedings (including obtaining legal advice and facilitating dispute resolution), protecting, enforcing or defending our contractual and legal rights and obligations.

Our legal basis for processing:

The processing is necessary for our legitimate interests, so that we can exercise our legal rights.

To fulfil one or more of the purposes set out in this Privacy Notice, your personal information (as listed in Section 2) might be shared with and processed by other NatWest Group companies, including their officers, employees, agents or directors. We might also share your personal information with third parties outside the NatWest Group:

• where we have your (or your agent’s) permission
• where it’s needed to provide a product or service, or to fulfil a request for a service or an application for a product, including financial institutions or intermediaries we deal with to process transactions
• where we are required to by law or by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world, including trade reporting, reporting suspicious activity and complying with production and court orders such as our professional advisors (including lawyers and auditors), business partners, suppliers, agents, independent contractors providing services to support our business
• where it’s needed for a proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business
• where permitted by law, where necessary for our legitimate interests or those of a third party, and where it’s consistent with the purposes listed above.

If you are a resident in California, United States, we do not sell or share your personal information, as those terms are defined by the California Consumer Privacy Act (CCPA); we do not use or disclose your sensitive personal information for purposes that are not necessary to provide products and services reasonably expected by an average consumer requesting them, subject to limited exceptions under the CCPA, and; we do not have actual knowledge that we have sold personal information of minors under the age of 16.

We might transfer your personal information to organisations in other countries (including to Affiliates) but only if the organisation we pass it to protects it in the same way we would and in line with regulations which include the rules of any relevant regulatory authority or exchange (such as the UK Financial Conduct Authority (FCA) and the UK Prudential Regulation Authority (PRA) Rules) and any applicable laws, rules, procedures, guidance, codes, standards and regulations (such as accounting rules and anti-money laundering and sanctions legislation) in force from time to time (we’ll refer to these as ‘Applicable Regulations’).

If we need to transfer your personal information across international borders, we will only do so where one or more of these apply:

• the transfer is permitted under the relevant data protection law
• the transfer has been authorised by a relevant data protection authority
• we’ve entered into a contract with the organisation we’re sharing it with (for example, using standard contractual clauses approved by the European Commission) to make sure your personal information is adequately protected
• the transfer is subject to an exemption under the relevant data protection law.

We might contact you using any of the contact details we hold about you. If you change your contact details, you should tell us as soon as you can.

As permitted by applicable law, electronic communications and telephone conversations we have with you will be monitored and/or recorded to evidence transactions, trades and instructions, for training purposes, internal investigations, for legal reasons or to meet Applicable Regulations. We might use these recordings as evidence if there’s a dispute between us and you / the customer you’re associated with. If you want a copy of the personal data that’s held in these recordings you can ask for one, subject to Applicable Regulations (see Section 9).

We carefully manage all of our records, including personal information, to help us serve our customers well and comply with Applicable Regulations. Records help us demonstrate that we’re meeting our responsibilities. They also serve as evidence of our business activities.

Retention periods for records are determined by the type of record, the nature of the activity, product or service, the country we’re located in and Applicable Regulations. We (and our Affiliates) normally keep customer account records for a defined period after your relationship with us ends. Retention periods might change from time-to-time based on business or legal and regulatory requirements.

We might, in exceptional circumstances, retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is so that we can produce records as evidence, if they’re needed.

Depending on where you are located and subject to Applicable Regulations, you might have certain rights relating to the personal information we collect and process about you, including:

• the right to know what we collect (by category and/or the specific pieces of personal information we collect) or process, the categories of sources we’ve collected it from, what we use it for or our business or commercial purposes for collecting or sharing it, the categories of personal information we disclosed for a business purpose, and who we disclose or share it with (including the categories of third parties we share it with) 
• the right to access it
• the right to correct inaccuracies, update it and fill any gaps
• the right to ask us to:
  • delete it, in some circumstances
  • restrict processing it, in some circumstances

We might continue to process your personal information if we are entitled to or are required to retain it

• in some circumstances, the right to receive it in a portable format. You may also ask us to provide it in this format directly to a third party, if technically feasible
• the right to object to its processing
• the right to object to direct marketing, including profiling
• the right to withdraw your consent to its processing, where we rely on consent as our legal basis
• the right to lodge a complaint with the applicable data protection regulator.

Some of the rights above will only apply in some jurisdictions. Where you’re granted privacy rights by Applicable Regulations, some of those rights might not be absolute, in which case exemptions might apply. For example, the right to ask us to delete your personal information is not absolute and can be refused in some circumstances.

If you want to exercise any of your privacy rights, we will not treat you any differently. For example, we won’t give you a different level or quality of products or services. Please note that if you don’t want us to process personal information that we consider necessary to provide certain services or products, it might not be possible for us to carry on providing them to you or your business.

If you want to exercise any of these rights, please refer to Section 13 (Contact us). 

Requests can be made by you or by your authorised representative. We might, in some cases, ask for proof of identity, residency and/or authority. Also, you’ll need to give us enough detail about what it is that you want so that we can review, understand, assess, and respond to it.

We will follow the legal and regulatory data protection requirements that apply in any jurisdiction we’re established in (‘Local Jurisdiction’). If this Privacy Notice conflicts with the data protection requirements in any Local Jurisdiction, the requirements of that Local Jurisdiction will take precedence. We’ve listed our locations and their data protection authorities in Schedule A.

We will respond to all requests as soon as we can and within timescales required in any Local Jurisdiction.

Unless you’ve told us you don’t want to hear from us, we might send you relevant marketing information. This might include details of other products or services – provided by us or by other NatWest Group companies – which we believe might be of interest to you. We might send them to you by post, phone, email and/or other forms of electronic communication.

If you change your mind about receiving this information or how you’d like us to contact you, please tell us at any time by emailing us at SARS@natwestmarkets.com.

We do not sell or share personal information to/with third parties for their own marketing purposes.

We endeavour to keep your personal information safe, and require that any third parties who act on our behalf do so also. If you’d like to know more about the steps we’re taking to protect your information, please visit https://www.natwest.com/business/security.html

We use cookies and similar technologies to record how individuals use our websites and mobile apps. See our cookies policy for more information and to set your preferences.

If you want to exercise your privacy rights, to the extent you have any under applicable law, please email us at SARS@natwestmarkets.com or write to us at either of the postal addresses below:

NatWest Markets Privacy Officer, 1 Spinningfields Square, Manchester, M3 3AP, UK

NatWest Markets N.V. Data Protection Officer, 7th Floor, Claude Debussylaan 94, 1082 MD, Amsterdam, The Netherlands

In the U.S., if you are a resident of California, you can exercise your rights under the California Consumer Privacy Act by contacting us at SARS@natwestmarkets.com, or write to us at:

Privacy Officer, NatWest Markets Securities Inc, 600 Washington Blvd, Stamford, Connecticut, U.S. 06901

If you want to complain about how we’ve handled your personal information, please speak to your usual contact within NatWest Markets or, if you prefer, email the NatWest Markets Privacy Officer or the NatWest Markets N.V. Data Protection Officer. We hope we can address your concerns but, if we don’t, you can contact the relevant data protection authority – see Schedule A for further details.

There might be specific terms and conditions in our agreements with you that govern the collection and use of your personal information. Unless otherwise agreed, these other terms must be read in conjunction with this Privacy Notice.

Our websites and device applications are not created for or directed at children. To our knowledge, we do not collect information online from children under 18. If you are a parent or guardian and think we have information about your child, please email the NatWest Markets Privacy Officer.

If you are a California resident, please see our US Privacy Policy.

From time to time we might change the way we use your personal information. If we make a material change, we’ll let you know and give you at least 30 days to raise any objections before we make the change. However, please note that in some cases, if you don’t agree to the changes we might not be able to carry on providing certain products and services to you or your business.

This privacy notice was last updated on 1 January 2023.