Help & support
Customers of our Singapore Branch
Additional rights for customers of our Singapore Branch are set out in the Singapore Branch Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting the Singapore Data Privacy Officer (see We’re here to help, Section 6a).
Customers of our Tokyo Branch
Customers of our China Branch
Additional rights for customers whose personal information will be collected, processed, stored, transmitted, disclosed and used by Commonwealth Bank of Australia in China is set out in our China Branch Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting the China Data Privacy Officer (see We’re here to help, Section 6a).
Customers of our Hong Kong Branch
The European Union (EU) and the United Kingdom (UK) have local data protection laws, such as the EU General Data Protection Regulation (GDPR) and United Kingdom General Data Protection Regulation (UK GDPR), which give more rights to individuals located in the European Economic Area (EEA) and the UK and more obligations to organisations holding their personal information.
If you are a customer of our UK branch or our bank in Netherlands, that organisation will be a “controller” of your personal information, which means it is responsible for compliance with the GDPR or UK GDPR as applicable.
In this Appendix, “personal information” means any information relating to an identified or identifiable natural person.
Under the GDPR and UK GDPR, personal information must be processed in a lawful, fair and transparent manner. This means we must provide you with more information about how we collect, use, share and store your personal information and information about your rights in data protection law. We have set out below this information, which is in addition to certain other information provided in the Group Privacy Statement above.
If you are located in the UK or EEA and have an enquiry relating to your data protection rights, please contact firstname.lastname@example.org.
For details of what personal information we collect, please refer to Section 2 (Collection, use and sharing) above.
If we require certain information for our contract with you or because it is legally required and you do not provide this to us, we may not be able to offer you products or services, or perform our contract with you.
Special categories of personal information
Personal information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data (for example your fingerprints), or data concerning your health, sex life or sexual orientation is subject to additional requirements.
If we process this personal information about you, we will only process this with your consent or where otherwise lawfully permitted.
How long we keep your personal information
We will keep your personal information while you are a customer. We keep your personal information for only as long as we need it for the relevant purpose.
We generally keep your personal information for up to 7 years after you stop being a customer but we may keep your personal information for longer for the following purposes:
We can collect and use your personal information for the purposes noted above in Section 2 (Collection, use and sharing). We must have a valid lawful ground to process your personal information, which may be one of the following lawful grounds:
The purposes for which we use your personal information, lawful grounds we may rely upon are as follows:
Who do we share your information with?
We may share your personal information with other organisations within our Group or third parties as set out in Section 2 (Collection, use & sharing).
Profiling and automated decision making
We may use systems to make automated decisions (including profiling) based on personal information we have collected from you or obtained from other sources such as credit reporting bodies. These systems can evaluate your personal circumstances and other factors to predict risk or outcomes.
Our credit approval process relies on automated analysis of personal information provided by you in the application process, alongside that received from credit referencing agencies and fraud prevention agencies, to make the following decisions:
These automated decisions can affect the products or services we offer you. For example, we may decide not to offer all or some our products or services to you, or we may decide how much to charge you, based on credit history and other financial information about you.
You have certain rights in relation to automated decision making and profiling, which are set out below.
Sending information outside the UK/EEA
Recipients of your personal information may be located outside the UK or EEA as described in Section 2 (Collection, use & sharing).
Where we transfer your personal information outside the UK or the EEA, we will ensure that it is transferred in a manner consistent with legal requirements applicable to the information, for example:
Please contact us if you would like more information about the appropriate safeguards, including a sample copy of the standard contractual clauses, relevant to the transfer of personal information.
You have a number of rights in relation to the personal information that we hold about you, although please note that in some cases, exceptions apply to the exercise of these rights and so you may not be able to exercise them in all situations.
You can exercise your rights by contacting email@example.com.
The right to be informed how personal information is processed
The right to withdraw your consent if we are relying on it to handle your personal information
The right of access to personal information
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
The right to lodge a complaint with a supervisory authority
See the ‘Regulator Contact Details’ section below for more information.
Minors and children’s privacy
For certain services, we will seek parent or guardian consent to collect the details of children under certain ages.
Regulator contact details
The UK data protection authority is:
Information Commissioner’s Office
Cheshire SK9 5AF
The Netherlands Data Protection Authority is:
Prins Causlaan 60
PO Box 93374
2509 AJ DEN HAAG / The Hague
For other European jurisdictions please refer to the European Commission website for details of the relevant data protection authorities.
Policy updated: 20 November 2023
During our relationship with you, we may tell you more about how we collect and handle your information – for example, when you fill in an application form or receive product terms and conditions. You should always read these documents carefully.
Sometimes we update our Statement. You can always find the most up-to-date version on our website.