Insurance Privacy Policy

At Tesco Bank, we’re working hard to serve Tesco shoppers a little better every day. Looking after the personal data you share with us is a hugely important part of this. We want you to be confident that your data is safe and secure with us and understand how we use it to offer you a better and more personalised experience.

What this policy covers

We are Tesco Personal Finance plc (trading as Tesco Bank) and Tesco Underwriting Limited and we are part of the Tesco Group. Tesco Bank processes your data for pricing, sales and marketing activities and Tesco Underwriting processes your data for pricing and claims handling activities if you have a car insurance, the driver injury cover and/or upgraded courtesy car cover additional products or a home insurance policy with us. This means that we are responsible for looking after your data and deciding how it is used.

This notice applies if you are an insurance customer and also if you were involved in or were witness to an incident involving someone covered under an insurance policy with us.

We are committed to doing the right thing when it comes to how we collect, use and protect your personal data. That’s why we’ve developed this privacy and cookies policy, which explains:

    • the types of personal data we collect;
    • the reasons we use the data we collect;
    • when we share the personal data within the Tesco Group and with other organisations, for example to help provide our services or to meet our regulatory responsibilities;
    • the rights and choices you have when it comes to your personal data.

    This privacy policy explains how we use data in our insurance products. We have created a separate banking privacy policy which explains how we use data in our banking products.

    If you have other Tesco products or if you have a Clubcard account associated with your Tesco Bank product, Tesco Stores will collect and use personal data to provide you with their products and services. You can read the Tesco privacy policy here.

    Our pet insurance, travel insurance and car and home insurance add on products are provided by our product partners, who act as data controllers in their own right and have their own privacy policies. If you take one of these products out, you will be provided with a privacy notice which explains how our partner uses your data and how you can contact them. Our product partners share your data with us to allow us to develop our products and understand our customers better. Links to our insurance partners’ privacy policies are shown below.

    Personal data we collect

    Personal data is any information about you which can directly or indirectly identify you. This includes your name and address, the transactions on your account and your online browsing data.

    Most of the personal data we collect is essential for us to know so that we can provide our products and services to you. If we ask for personal data that is optional, we will explain this at the time.

      Data we collect from you

      When you apply for a product, we will ask you to provide us with:

      • personal details, including your postal and billing addresses, email address, phone numbers, date of birth and title;
      • information we require to assess your application or keep your financial information up to date, such as your income or financial responsibilities, if you are applying to pay your premium in instalments;
      • proof of your no claims discount from your previous insurer;
      • details of any previous criminal convictions, such as driving offences.

      When you use our website or mobile app or open our emails, we collect:

      • information about your browsing behaviour, including which links you click on;
      • information about any devices you have used to access our website or apps (including the make, model and operating system, IP address, browser type and mobile device identifiers).

      When you contact us or take part in promotions or surveys about our products and services, we collect:

      • information you provide about yourself (for example, your name, username and contact details), including by phone, email or post or when you speak with us through social media or our website;
      • your feedback and contributions to customer surveys or reviews;
      • recordings of calls made to our customer service centre.

      When you make a claim, we collect:

      • information you provide about yourself and your claim over the phone, in writing or through our online claims portal.
      • Information provided about others involved in, or witness to an incident involving one of our insured customers (for example, their name, address, details of their own insurer and injuries sustained).
      Data we collect from others

      We collect personal data from other sources, such as:

      • the wider Tesco Group;
      • credit reference agencies;
      • fraud prevention agencies;
      • insurance industry databases such as the Claims and Underwriting Exchange;
      • if you make a claim, those involved in your claim, such as claimants and witnesses;
      • Government agencies and regulatory bodies including the police, the Driver and Vehicle Licensing Agency, the Department of Work and Pensions and HM Revenue & Customs;
      • publicly available resources, such as the electoral register and the internet.

      We do this so we can make sure the personal data we hold about you is accurate and to perform necessary checks, assess claims, validate the price we are offering and to offer our services to you.

      Further information on the checks we carry out and the third parties we work with can be found here.

        We use this data when we need to:

        • verify your identity and UK residency;
        • assess your creditworthiness if you have applied to pay your premium in instalments;
        • check what terms of cover we should offer;
        • handle and manage any claims;
        • trace and recover debts;
        • prevent criminal activity, such as fraud.

        If you have existing products with Tesco Bank or you have a Clubcard, we sometimes use this information to pre-populate fields in our application forms online. You will be asked to check the information is up to date.

        We also obtain information from price comparison websites to return a quote to them where you have visited the price comparison website and filled out an application for quotes.

          People connected to your products

          People connected to your products

          If you give us information about other people who will be connected to your applications or products, we will keep a record of their data. You must make sure that you have their permission before you share their data with us or make decisions on their behalf about how we use their data.

          Please make them aware of this privacy policy.

          This includes:

          • anyone insured under your policy;
          • anyone paying your premiums;
          • anyone occupying your home;
          • anyone nominated to act on your behalf, including power of attorneys and others.

          Why we collect your data and our legal basis

          We carefully consider how we use personal data and have internal processes, such as our Data Protection Impact Assessments, which help us to decide how to act fairly and in our customers’ best interests. Where we say that using data is in our “legitimate interests”, we ensure that we are also acting in the general interests of all our customers. We only ever collect, use and share the minimum amount of data necessary to operate our business and serve our customers.

            To make our products available to you

              Why we collect data

              • working out financial and insurance risks by credit scoring;
              • verifying your identity and eligibility for products, and the identities of joint applicants and other insured persons;
              • assessing your creditworthiness or insurance risk;
              • managing your policy, including contacting you by phone, post, email, SMS and via our apps through push notifications (messages that pop up on your device) to give you information about your policy;
              • providing you with quotations and any additional terms of cover and maintaining and updating your policy;
              • providing cover to you under your policy;
              • awarding Clubcard points.

              We use algorithms and computer programs to make decisions about whether you are eligible for a product and what terms we can offer you. You can find out more information here.

                Why we are using the data (legal basis)

                Because we have a contract with you, we have to use your data in this way as a necessary part of that contract.

                Once you no longer have the product, we keep your data for a period of time afterwards as part of our legitimate interests in case needed for a complaint or regulatory enquiry and to help us to lend responsibly, and work out the right price for our insurance products.

                If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                  To handle and and manage any claims

                    Why we collect data

                    We will process your information if you make a claim on your policy, or if you are involved in a claim (for example, as a witness).

                      Why we are using the data (legal basis)

                        If we have a contract with you as a policy holder then we have to use your data in this way to handle claims in accordance with the policy terms. We also need to process data based on our legitimate interests in assessing, investigating and paying claims and in managing the claims process. We may also have a legal or regulatory obligation.

                          To prevent fraud

                              Why we collect data

                              We carry out fraud checks to protect our customers and prevent crime. We use algorithms and computer programs to analyse transactions and data in applications to check for fraud. You can read more about our fraud prevention checks here.

                                Why we are using the data (legal basis)

                                  The law requires us to do this as we have responsibilities to prevent financial crime. We also act in our legitimate interests to protect our business and customers.

                                  If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                                    To trace and recover debt

                                      Why we collect data

                                      We may access information from third parties such as credit reference agencies to get up to date contact details where we need these to recover money owed to us. If you are ever concerned about paying your debts, please contact us.

                                        Why we are using the data (legal basis)

                                        We act in our legitimate interests as we need to recover money owed to us to enable us to operate our business.

                                          To record calls to our call centres

                                            Why we collect data

                                            We use call recordings to prevent fraud, for staff training and to manage customer complaints.

                                              Why we are using the data (legal basis)

                                              We act in our legitimate interests as call recordings help us to meet our responsibilities to combat fraud, provide good customer service and respond to complaints.

                                                To carry out analysis on our products and understand our customers’ needs.

                                                  Why we collect data

                                                    We use algorithms and computer programs to analyse customer data by creating customer segments and scoring. We use customer data from our products, Clubcard data and data from declined applications. We sometimes combine your data with data from our partners to help us in our analysis. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way. When we analyse data as part of our product development, we don’t use it to identify individual customers.

                                                    Analysing customer data allows us to understand our customers better and explore possibilities for how we might serve our customers better and improve our products.

                                                      Why we are using the data (legal basis)

                                                        We act in our legitimate interests as these activities allow us to improve our products and serve our customers better.

                                                          To operate our business

                                                            Why we collect data

                                                            We use customer data when carrying out internal audits and in financial analysis.

                                                              Why we are using the data (legal basis)

                                                                We act in our legitimate interests to monitor the performance of our business and make improvements.

                                                                  To manage and improve our website and apps

                                                                    Why we collect data

                                                                    We use cookies and similar technologies on our website and apps to improve your customer experience. You can switch off non-essential cookies using the toggles. You can find more information in the cookie section

                                                                      Why we are using the data (legal basis)

                                                                      Essential cookies: We act in our legitimate interests to enable our website to function securely.

                                                                      Non-essential cookies (measurement, experience and advertising): We obtain customer consent. You can change your preferences at any time by visiting manage my cookies

                                                                        To provide you with marketing

                                                                          Why we collect data

                                                                          We want to ensure that the marketing we send you or show you online is relevant to you. To help us to do this, we:

                                                                          • use your data, including details of which Tesco products you hold, your Clubcard data and your online browsing behaviour to help us better understand you as a customer and provide you with personalised offers and relevant marketing communications (including by email, post, online advertising or at the tills in store). We use algorithms and computer programs to analyse data by creating customer segments and scores which we use to help us select which offers to send you.
                                                                          • measure your responses to marketing communications, which also means we can offer you products and services that better meet your needs.
                                                                          • sometimes combine your data with data from our partners, such as price comparison websites and credit reference agencies. For example, we sometimes get data which tells us when insurance policies are due for renewal and we use credit reference agency data to try to ensure that we don’t advertise credit products to those who might be declined. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way.

                                                                          We use personal data to tailor the adverts we show to you online on Tesco websites, social media sites and other sites that sell advertising space. Personalised adverts show the AdChoices logo.

                                                                            Why we are using the data (legal basis)

                                                                            We act in our legitimate interests. Looking at your browsing behaviour and purchases allows us to personalise our offers and services for you. This helps us give you better and more relevant offers.

                                                                            You can change your marketing choices for email, SMS, post and phone marketing when you register with us and at any time after that. To opt out, just let us know in one of these ways:

                                                                            On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                                            By phone: by calling us on one of the numbers for your product(s) here and asking the customer service representative to opt you out of marketing.

                                                                            You also have choices when it comes to online advertising. You can change your online advertising preferences at any time by visiting manage my cookies

                                                                              We use Clubcard data to give discounts and better offers

                                                                                Why we collect data

                                                                                Clubcard data includes your shopping habits and the types of purchases you or your household make.

                                                                                We use Clubcard data to try to bring you better terms, deals, offers or support than you would get if we didn’t use the data. We do this by looking at the data using algorithms and computer programs to create customer segments and scores. This includes how likely we think you are to pay back money we lend you, how often you use other Tesco products and services, and how you prefer to shop. This helps us to create a number of scores, which we can then use as one of the factors in our automated decision-making process. We also take into account whether or not you are a Clubcard customer or have an existing Tesco Bank product.

                                                                                Clubcard data allows us to give our customers better prices on our insurance products. Discounts and offers will vary from customer to customer, but all Clubcard customers will receive a discount within a range. Clubcard data also enables us to improve the likelihood of us being able to accept a customer’s application for a loan or a credit card.

                                                                                Clubcard is a loyalty scheme and customers trust us to use their Clubcard data to reward them with offers. We only use Clubcard data to give better prices or offers and never to increase insurance prices or decline an application.

                                                                                We use data that you provide, such as your name and address, to find any Clubcards that are linked to your surname and address. That might be your Clubcard, or that of a family member living in the same house as you. When we do this, we aim to use the Clubcard linked to your address which gives you the best terms, deals or offers.

                                                                                  Why we are using the data (legal basis)

                                                                                  This is in our legitimate interests as it allows us to offer better deals to our customers.

                                                                                    We use your banking product data to provide you with discounts and bring you better offers on insurance products

                                                                                      Why we collect data

                                                                                      We use data about how you use your Tesco Bank products to try to bring you insurance discounts. We do this by using algorithms and computer programs to calculate scores to work out how much of a discount we can offer. This works in a similar way to how we use Clubcard data. We do not include transactional information from banking products in these algorithms.

                                                                                      We only use banking data within insurance to give our customers discounts and offers and never to increase prices.

                                                                                        Why we are using the data (legal basis)

                                                                                        This is in our legitimate interests as it allows us to offer better deals to our customers.

                                                                                          Complaints and requests

                                                                                            Why we collect data

                                                                                            We process your data if we need to manage complaints, data subject access requests or legal claim. We also sometimes receive requests from regulators for information which might require us to process and share your data with regulators.

                                                                                              Why we are using the data (legal basis)

                                                                                              When we do this, it is because we are bringing or defending legal claims, or because the law requires us to do this, as we have regulatory responsibilities to manage complaints to support our customers and respond to data subject rights requests and regulatory requests for information.

                                                                                                Sensitive data – helping our vulnerable customers

                                                                                                  Why we collect data

                                                                                                  Sometimes we ask for sensitive or “special category personal data”, such as medical information, to allow us to help vulnerable customers. We only collect the minimum amount of information required.

                                                                                                    Why we are using the data (legal basis)

                                                                                                      Where possible, we will ask for your consent to use this data. Where we have asked for your consent, you can change your mind at any time by contacting us and asking us to stop processing this information.

                                                                                                      Where it is not possible to get your consent (for example if you are not able to give consent), we will only use or share your information where we believe that it is in your best interests and there are substantial public interests in us helping our customers in this way.

                                                                                                      We are also required by law to collect some sensitive data to help our customers as we have responsibilities to support our vulnerable customers.

                                                                                                        Market research

                                                                                                          Why we collect data

                                                                                                          We like to hear your views to help us improve our services, so we may contact you for market research purposes. You will always have the choice about whether to take part in market research.

                                                                                                            Why we are using the data (legal basis)

                                                                                                            This is in our legitimate interests as market research helps us to improve our services to customers.

                                                                                                              Sharing personal data

                                                                                                              In order to provide our products to you, we have to share some of your data with partners we work with. Whenever we share data, we only share the minimum amount necessary to operate our business and provide our products. We don’t share data with others for their marketing purposes.

                                                                                                              In some cases, we need to share your data with our partners because they provide a service which we do not provide. In other cases, we have to share your data to prevent fraud and financial crime or to ensure that we are lending responsibly.

                                                                                                              We share the personal data we collect with other companies in the Tesco Group for customer services across Tesco. For example, we share some personal data with Tesco Stores in connection with the operation of Clubcard accounts so that Tesco Bank customers receive Clubcard points where these are collected as part of the Tesco Bank product. We don’t share all of your banking or insurance data with Tesco Stores and only share the minimum amount of data they need.

                                                                                                                Summary of data sharing

                                                                                                                We share data with:

                                                                                                                • our service providers and product partners to allow them to provide their services to you and us (including those who provide funding, debt management, administration, fraud and financial crime detection and professional services);
                                                                                                                • anyone you nominate to act on your behalf;
                                                                                                                • regulatory bodies and authorities where we have to do this to meet our regulatory responsibilities, and agencies who act on their behalf, such as market research companies where the regulators are checking customer views;
                                                                                                                • credit reference agencies and fraud and financial crime prevention agencies for the reasons set out in this policy;
                                                                                                                • other companies if we are considering transferring the contract we have with you to them (for example, where we are selling accounts or debts). You will be informed if your contract is transferred;
                                                                                                                • our market research agencies to contact you with relevant surveys;
                                                                                                                • other banks and insurers to detect and prevent fraud and financial crime and to meet our regulatory responsibilities;
                                                                                                                • the Claims and Underwriting Exchange (CUE) and other similar organisations;
                                                                                                                • other insurers or reinsurers for claim administration purposes;
                                                                                                                • for motor insurance, with the Motor Insurance Database;
                                                                                                                • Dunnhumby (a global data science company which is part of the Tesco Group) and selected universities, for academic research projects.

                                                                                                                Sharing your information for academic research purposes

                                                                                                                We may share your information with Dunnhumby and selected universities for academic research purposes. When we do this, we only share the minimum amount of information necessary.

                                                                                                                Information will be used by the selected university for specific academic research purposes only and any information in the output will be in an aggregated/non identifiable format. Dunnhumby will use this output to improve the data science behind its products. (Dunnhumby will process this data as a controller, and on the basis of its legitimate interest to improve its data science).

                                                                                                                For more information on how Dunnhumby uses your data, or to exercise your rights you can email Dunnhumby at individualrights@dunnhumby.com (we have listed your rights in the section “Your Rights”) You can also ask us or Dunnhumby which university is using your data for academic research.

                                                                                                                  Transferring data overseas

                                                                                                                  Sometimes we send your personal data to another country. For example, if one of our service providers has a data centre overseas. Before sending your personal data to an overseas country outside the UK or the European Economic Area, we check that the organisation we are sending the data to will be able to keep your data secure. Certain countries are listed as having adequate protection by the Government. We check if the country is listed. If it is not, we ask the organisation to sign standard contractual clauses. This means they must meet UK standards of data protection. A copy of this type of contract can be found here.

                                                                                                                  When your personal data is in another country, it could be accessed by law enforcement agencies in those countries. They do this to detect and prevent crime, or because the law says they must. For more information about sending your personal data overseas, you can contact our Data Protection Officer

                                                                                                                    How long we use personal data for

                                                                                                                    At Tesco Bank, in most cases we keep your personal data for seven years after the end of your relationship with us. We keep data in case of complaints and for analysis to help us develop our products. When we use data for analysis, we do not use it to identify individual customers. In some cases, we keep personal data for longer than seven years, for example where it is needed for an ongoing investigation or legal proceedings. We only keep the data that we need, and we delete or anonymise it as soon as we can.

                                                                                                                    At Tesco Underwriting, in most cases we keep claims records and associated policy records for up to ten years from settlement. If the claim involves personal injury, there may be circumstances where we keep your personal data for up to 21 years from settlement, or up to 25 years for a subsidence claim. We keep claims records so that we can meet our legal, regulatory, tax or accounting obligations. We will also retain claims records if there is a reasonable prospect of litigation.

                                                                                                                    Generally with policy records, at Tesco Underwriting we keep your personal data once your insurance policies have lapsed for up to ten years. Beyond ten years, we will keep minimised or anonymised information for statistical analysis e.g. for pricing and risk modelling purposes, to understand events that occur infrequently, such as weather, subsidence, injury and liability claims. We may also retain information in an aggregated form to allow us to develop and improve our products and services.

                                                                                                                    We keep insurance quote data for up to three years. We do this to develop our products and to protect you and us against fraud and financial crime. We use this data if you apply for a product again in the future, for example as part of our fraud checks.

                                                                                                                    We keep marketing records for three years after your last activity with us.

                                                                                                                      Checks with credit reference agencies, fraud prevention agencies and insurance databases

                                                                                                                      Before we can provide you with insurance or settle a claim, we may need to get data about you and anyone else covered under your policy from third parties such as credit reference agencies, fraud and financial crime prevention agencies, and other agencies that have been set up for that purpose.

                                                                                                                      The information they give us can include publicly available information, information from the electoral register, and other information they have derived from previous searches.

                                                                                                                      When we contact these agencies, they may make a record that we have asked for information. This will not affect your credit rating, unless you are applying to pay for your premium in instalments when a full credit check may be done.

                                                                                                                      We may also perform checks on you, all those named on the policy such as additional drivers, those living in your home, or co-insureds and joint policyholders, with other organisations such as:

                                                                                                                      We share information you have given to us so we can check it is correct, and to help detect and prevent crime, including fraud and money laundering. The times when we do this are:

                                                                                                                      • when you apply for insurance (or a subsequent variation to cover);
                                                                                                                      • while maintaining your policy;
                                                                                                                      • when renewing your policy;
                                                                                                                      • when you make a claim.

                                                                                                                      We research, collect and use data from publicly available sources. We do this to help detect and prevent fraud and other forms of financial crime. If you are not sure what information you have made available to the public on social media, we recommend that you visit the privacy settings on each of your social media accounts.

                                                                                                                      We, and fraud and financial crime prevention agencies, may also allow law enforcement agencies to access and use the personal data we know about you. They do this where they believe that it is absolutely necessary to detect, investigate and prevent crime.

                                                                                                                      If you give inaccurate details, we suspect fraud or other financial crime, or we suspect that you do not have the right to UK residency, we will share this information with the organisations we’ve mentioned. They may use and allow others to use this information when making decisions about you and others in your household. This may include decisions about whether to offer you insurance, as well as other decisions about detecting crime.

                                                                                                                      It is a condition of your policy that you tell us about any incidents. When you tell us about an incident, we will pass this information on to the registers mentioned above.

                                                                                                                        Driver and Vehicle Licensing Agency (DVLA)

                                                                                                                        We provide your (or any person included on the proposal) driving license number (DLN) to the DVLA.

                                                                                                                        We do this to:

                                                                                                                        • confirm licence status;
                                                                                                                        • check entitlement and relevant restriction information;
                                                                                                                        • check endorsement/conviction data.

                                                                                                                        We carry out searches with the DVLA before and at any point during the term of your insurance policy, including any mid-term adjustment and renewal stage.

                                                                                                                        For details relating to information held about you by the DVLA please visit www.dvla.gov.uk

                                                                                                                          Motor Insurance Database

                                                                                                                          Data about your insurance policy will be added to the Motor Insurance Database (MID), which is managed by the Motor Insurer’ Bureau (MIB). The MID and the information stored on it may be used by certain statutory and/or authorised bodies including the Police, the DVLA, the Insurance Fraud Bureau and other bodies permitted by law for purposes not limited to but including:

                                                                                                                          • electronic licensing;
                                                                                                                          • continuous insurance enforcement;
                                                                                                                          • law enforcement (prevention, detection, apprehension and or prosecution of offenders);
                                                                                                                          • providing government services and or other services aimed at reducing the level and incidence of uninsured driving.

                                                                                                                          If you are involved in a road traffic accident (either in the UK, the EEA or certain other territories), the insurers and/or the MID may search the MID to obtain relevant information.

                                                                                                                          If you, or someone on your behalf, is making a claim following a road traffic accident against anyone covered on your policy, you can also use the Motor Insurance Database to get relevant information to help you.

                                                                                                                          It is vital that the Motor Insurance Database holds your correct registration number. If it is incorrectly shown on the MID you are at risk of having your vehicle seized by the Police.

                                                                                                                          You can find out more about the MID at www.mib.org.uk. You can check they have your correct registration number details on their website at www.askmid.com

                                                                                                                            Cifas

                                                                                                                            Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

                                                                                                                            The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

                                                                                                                            Details of the personal data that will be processed include, for example: name, address, date of birth, contact details, claims history, financial information, employment details, device identifiers including IP address and vehicle details.

                                                                                                                            We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

                                                                                                                            We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. Cifas has published its assessment of the legitimate interests in relation to the National Fraud Database

                                                                                                                            Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

                                                                                                                            As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making

                                                                                                                            If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

                                                                                                                            A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us

                                                                                                                            Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to "international frameworks" intended to enable secure data sharing. Cifas has published more information about data transfers

                                                                                                                              What credit decisioning is, and how it works

                                                                                                                              If you apply to pay your premium in instalments, Tesco Bank will assess whether you can afford to make the repayments. Credit decisioning, which involves credit scoring and checking if you are able to afford the lending, is a way of working out how likely we think it is that you will pay back the money we lend you. Your credit score, which is part of your assessment, is worked out automatically by a computer. It takes into account different factors, such as the amount of debt you currently have, how you have paid off debts in the past and data from your Clubcard if it can be used to improve your credit score. Credit decisioning and credit scoring are important steps in making sure we are lending responsibly.

                                                                                                                              We use four main sources of data when working out your credit score:

                                                                                                                              • the personal data you give us in your application;
                                                                                                                              • data we get from third parties, such as credit reference agencies;
                                                                                                                              • data we already know about you in connection with other Tesco products, including Clubcard transactions. Clubcard transactions are only used to improve your score.
                                                                                                                              When we carry out credit checks

                                                                                                                              When we are deciding whether you can pay your premium in instalments, we will perform a credit check with credit reference agencies. You will be told when this is about to happen and will be asked to agree. We will give your personal data to the credit reference agencies and they will give us data about you. This will include data from your application about your financial situation and financial history.

                                                                                                                              When we are deciding whether you can pay your premium we don’t share data on other products, such as savings accounts, with credit reference agencies, but we access data from credit reference agencies to perform identity checks.

                                                                                                                              Credit reference agencies will give us data that is public, such as information from the electoral register, as well as specific information they know, such as shared credit, financial situation and financial history information, and fraud prevention information which other lenders have shared with them.

                                                                                                                                What we do with data from credit reference agencies

                                                                                                                                We use data from credit reference agencies to:

                                                                                                                                • assess your creditworthiness and whether we think you can afford to take the product;
                                                                                                                                • check the personal data you have given us is accurate;
                                                                                                                                • prevent criminal activity, fraud and money laundering;
                                                                                                                                • help to manage and make decisions about your account(s);
                                                                                                                                • trace and recover debts;
                                                                                                                                • make sure any offers we make to you are appropriate to your circumstances.

                                                                                                                                The three main credit reference agencies are TransUnion, Equifax and Experian.

                                                                                                                                To learn more about what they do, what data they hold, and what your rights are, go to www.transunion.co.uk/crain, www.equifax.co.uk/crain or www.experian.co.uk/crain

                                                                                                                                  Your rights and how to contact us

                                                                                                                                  If you’d like to exercise your data subject rights, or have any questions or concerns about how we use your data, you can contact us:

                                                                                                                                  By post: The Data Protection Officer, Tesco Bank, PO BOX 27009, Glasgow, G2 9EZ

                                                                                                                                  By phone: by calling us on one of the numbers for your product(s) here

                                                                                                                                  By email: DataProtectionOffice@tescobank.com

                                                                                                                                  Our Data Protection Officer supports us in answering any questions and acts as a point of escalation.

                                                                                                                                  We’d like the chance to resolve any complaints you have, but you also have the right to complain to the Information Commissioner’s Office (the "ICO") about how we have used your personal data. Their website is https://ico.org.uk/your-data-matters/raising-concerns/

                                                                                                                                  You have a number of data subject rights, which you can make at any time. In some cases, these rights have limitations, but we will always respond within one calendar month. If we cannot meet your request, we will explain why. We may get in touch sooner if we need extra information to help us find your personal data, or to verify your identity.

                                                                                                                                    1. Right of access

                                                                                                                                    You have the right to see the personal data we hold about you. This is called a Subject Access Request. If you make a Subject Access Request, we will send you a copy of the personal data that you would like to see. There are a few exceptions where we might not be able to provide the information, such as where it includes personal data about others. Please use the subject access request form to make your request.

                                                                                                                                      2. Right to have inaccurate data corrected

                                                                                                                                      If you believe we hold inaccurate or missing data, please let us know and we will correct it.

                                                                                                                                        3. Right to restrict us using or request erasure of the personal data we hold about you

                                                                                                                                        If you want us to stop or restrict us using your personal data, or you want us to erase it entirely, please let us know. There are times when we may not be able to do this – for example, if the data is related to a contract between us, or if the law says we need to keep your personal data for a certain amount of time.

                                                                                                                                        You can also ask us to stop using your personal data for direct marketing purposes and you can opt out of marketing at any time:

                                                                                                                                        On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                                                                                                        By phone: by calling us on one of the numbers for your product(s) here and asking the customer service representative to opt you out of marketing.

                                                                                                                                          4. Right to data portability

                                                                                                                                          You can ask us to transfer your personal data in an electronic format to you, or to another organisation (for example, another bank or insurer).

                                                                                                                                            5. Right to human intervention in automated decision making

                                                                                                                                            An automated decision is one that is made by our systems rather than by a person. The benefit of automated decision making is that we can quickly make key decisions.

                                                                                                                                            We also use automated decision making:

                                                                                                                                            • to make decisions about whether to lend you credit;
                                                                                                                                            • in our financial crime checks;
                                                                                                                                            • to calculate insurance prices.

                                                                                                                                            Automated decision-making helps us to decide things like how likely it is that you will pay back the money we lend. It takes into account factors such as the amount of debt someone has, and how they have paid off debts in the past. It also helps us and our insurance partners to work out how likely you might be to make a claim on an insurance policy and what insurance price we can therefore offer you.

                                                                                                                                            You have the right to:

                                                                                                                                            • express your concerns and object to a decision taken by purely automated means; and
                                                                                                                                            • request that a person reviews that decision.

                                                                                                                                            If you would like us to review a decision we have made about you, such as declining an application, please let us know.

                                                                                                                                              6. You have the right to withdraw your consent at any time

                                                                                                                                              Sometimes we need your consent to process your personal data. If you have given consent, you can change your mind and withdraw it by contacting us.

                                                                                                                                                Changes to this privacy policy

                                                                                                                                                This privacy policy will be reviewed and updated from time to time. We will contact you if there are any important changes which impact how we use your personal data. If we need to give you the opportunity to opt out, we will give you time to do this before we make any changes to the way we use your personal data.

                                                                                                                                                Last updated: May 2021