UK & EMEA Privacy Policy

PLEASE READ THIS POLICY CAREFULLY AND REGULARLY CHECK THIS PAGE TO REVIEW ANY CHANGES WE MIGHT HAVE MADE TO THIS POLICY TO REFLECT CHANGES IN LAW OR REGULATION APPLICABLE TO US, OR TO REFLECT CHANGES FROM TIME TO TIME IN RESPECT OF THE WAY IN WHICH WE PROCESS PERSONAL INFORMATION.

This privacy policy (“Policy”) was last updated on 5 January 2023.

This Policy is issued by The Norinchukin Bank, with its registered office at 2-1, Otemachi 1-chome, Chiyoda-ku, Tokyo 100-8155 Japan, for its affiliates, subsidiaries and branch offices in the UK and EMEA. This Policy will only apply to its UK and EMEA affiliates, subsidiaries and branches listed as a Controller in Section 5 (hereafter referred to as “Norinchukin” or “we”, “us” or “our”).

We collect and use certain personal information. For the purposes of data protection laws, we are a Controller of your personal information and are responsible for ensuring that we use your personal information in compliance with data protection laws.

This Policy describes the personal information that we collect and use. This Policy is directed at individuals whose personal information we collect and use in the course of carrying out our business (“you”), and includes the following categories of individuals:

  • Key relationship contacts: This means the individuals who are our business contacts within our corporate customers or potential corporate customers in respect of the trading arrangements, corporate lending, project finance and/or depositor related activities, or individuals who are our business contacts at our suppliers or potential suppliers;
  • Directors and beneficial owners of corporate customers, counterparties and suppliers: This means individuals whose details are checked by us as part of our onboarding and ongoing administration processes, including those checks necessary for the detection and prevention of financial crime, in order for us to meet our legal obligations and regulatory expectations; and
  • Visitors to our offices: This means anyone whose image is captured on CCTV at our premises.

We require that all corporate customers, counterparties and suppliers direct their Personnel to this Policy.

Other defined terms used in this Policy are explained in Section 6 below.

1 Processing your personal information

1.1 The meaning of “personal information”

“Personal information” (which is also referred to as “personal data” under certain data protection laws) means any information relating to an identified or identifiable natural person. This means any individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers (for example, IP addresses or MAC addresses – if they can be used to identify you), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. A natural person is distinct from a legal person (i.e. a corporate entity). Put simply, this includes information which either by itself or with other information held by us or available to us, can be used to identify you.

Personal information also includes special categories of personal information (which is also often referred to as “sensitive personal information”). This is information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation (as relevant). In addition, personal information also includes information relating to criminal convictions and previous offences.

1.2 How do we collect your personal information

In the course of carrying out our business we will collect and process personal information about you.

We may collect your personal information from you directly. This is personal information that you provide to us. The nature of our relationship with you will determine what information we ask you to provide.

We may collect your personal information indirectly. For example, we may:

  • collect your personal information from other parties (e.g. if your employer sends us your details or from know your client and anti-money laundering service providers); and/or
  • collect and generate information about you (e.g. information you provide during telephone and electronic communications). We may collect personal information through call recording or the monitoring of other business communications (such as email or chat) or via the screening of data to comply with our legal and regulatory obligations. We may also collect personal information through our use of cookies – for more information on our use of cookies see our cookies policy here.

We may collect your personal information from publicly available sources. For example, where you have chosen to make your personal information public (e.g. contact details of our key relationship contacts from the website pages of corporate customers) or from publicly available databases (e.g. details of directors and beneficial owners may be collected from company registers and work-related social media profiles; information may be collected from registers of politically exposed persons).

1.3 What types of personal information do we collect and use

The types of personal information that we process includes:

(a) Key relationship contacts:

  • your full name and job title;
  • your work contact details (which means business postal address at the corporate customer, business e-mail address, employer/business and professional information, job title, telephone and fax numbers);
  • transaction details (e.g. where you are identified on the trade confirmation as the trader or dealer to who executed the transaction with us); and
  • any other personal information which you or our corporate customers, counterparties or suppliers may provide to us from time to time (e.g. if you are a signatory to the mandate in place for management of the operational relationship that your employer has with us, your employer will provide us with evidence of your signature and may also provide us with authentication information).

(b) Directors and beneficial owners of corporate customers, counterparties and suppliers:

In addition to the information set out above, as part of our onboarding and ongoing administration processes, we may also process:

  • proof of address and proof of identity documentation, such as copies of passports which include your date of birth, full name, home address and your photographic image, and (should you voluntarily include this information) pages which include details of family members/next of kin contacts. You should be aware that special categories of personal information relating to you, including your racial or ethnic origin, may be identifiable from information provided in your passport – see Section 1.6 below for more information about this;
  • other Government-issued data such as tax identification number(s), visa or other evidence of right to work in a particular jurisdiction, or driving licence number(s); and
  • signatures, photographs or other visual images and personal appearance (as these may appear of the documentation provided to us).

(c) Visitors to our offices:

  • Your facial image and personal appearance as captured on CCTV cameras at our offices.

1.4 How do we use your personal information

Your personal information may be processed by us for the following purposes:

  • to administer our business, including to fulfil our contractual relationships that we have with our corporate customers, counterparties and/or suppliers;
  • to contact you as a representative of your employer in order to review the service we are offering to our corporate customers and counterparties, and to receive feedback on our services and, where relevant, in order to handle any complaints;
  • for the management and audit of our business operations, including carrying out annual external financial audits and third party assurance reviews;
  • for the management of our IT and communications systems and networks, including carrying out security audits;
  • to perform internal audits, compliance controls and other risk management processes including, for example, monitoring of communications for the purposes of detecting, investigating and preventing breaches of policy and criminal offences;
  • for the prevention, detection and investigation of crime, including processing information about a crime or offence and proceedings related thereto;
  • to ensure compliance with our internal compliance requirements, policies and procedures, including any record keeping requirements required by law (including those imposed from time to time by regulators, law enforcement agencies or courts);
  • to comply with our legal and regulatory obligations, including in respect of the prevention of financial crime and, for example, conducting identification and verification checks, and ongoing screening against Government, supranational and law enforcement data and sanctions lists, and against third party collated data in order to identify higher risk relationships;
  • to respond to any requests from data subject requests under data protection laws;
  • to cooperate with law enforcement agencies and Governmental or regulatory bodies under powers and rights imposed by law or as might be necessary to protect the vital interests of any individual;
  • to cooperate with external auditors and other third party bodies who are authorised by law to conduct independent assessments of our business, or parts of our business operations, from time to time;
  • to protect our business information, our premises and our officers and employees at those premises and to know who goes in and out of our premises and who goes into different rooms at our premises (for example, we will use CCTV images of visitors to our premises for this purpose);
  • to protect the health and safety of visitors to our premises, including undertaking health and safety assessments in respect of visitors to our premises; and
  • to establish, exercise and defend our legal rights.

1.5 The lawful basis for our use and processing of your personal information

We are entitled to process your personal information for the purposes set out above because:

(a) The processing is a necessary for our legitimate interests (to the extent that on balance such legitimate interest is not overridden by your interests or fundamental rights and freedoms), these interests include:

  • to administer our business, including to fulfil our contractual relationships that we have with our corporate customers, counterparties and/or suppliers. Our core business operations which are relevant to this are as follows: (i) we carry out trading activities with market counterparties; (ii) we conduct lending to corporate borrowers; and (iii) we receive goods and services from our suppliers. The relationship that we have with the organisation for whom you work or at which you are a director or beneficial owner will be in connection with one or more of these;
  • to contact you as a representative of your employer in order to review the service we are offering to our corporate customers and counterparties, and to receive feedback on our services and, where relevant, in order to handle any complaints;
  • for the management and audit of our business operations, including carrying out annual external financial audits and third party assurance reviews;
  • for the management of our IT and communications systems and networks, including carrying out security audits;
  • to perform internal audits, compliance controls and other risk management processes including, for example, monitoring of communications for the purposes of detecting, investigating and preventing breaches of policy and criminal offences;
  • to ensure compliance with our internal compliance requirements, policies and procedures, including any record keeping requirements required by law (including those imposed from time to time by regulators, law enforcement agencies or courts); and
  • to protect our business information, our premises and our officers and employees at those premises and to know who goes in and out of our premises and who goes into different rooms at our premises (for example, we will use CCTV images of visitors to our premises for this purpose).

(b) The processing is necessary for a legal or regulatory obligation with which we have to comply

As the services we provide to our corporate customers and counterparties require us to be authorised and regulated, we may also have to process your personal information to comply with our legal and regulatory obligations.

(c) The processing is necessary for performing our contractual obligations

We may have to process your personal information to fulfil our contractual obligations with you or prior to entering into a contract at your request.

(d) The processing is necessary to establish, exercise or defend our legal rights or for the purpose of legal proceedings

We may have to process your personal information to establish, exercise or defend our legal rights.

(e) The processing is necessary for reasons of substantial public interest or is necessary to protect the vital interests of any individual

In some circumstances, it may also be necessary to process your personal information for reasons of public interest or in order to protect the vital interests of any individual (which could be you yourself or other individuals).

(f) We have obtained your consent

Although we would normally rely on a legal basis set out in (a) to (e) above, in some circumstances (and typically where no other lawful basis applies) we may obtain your prior consent in order to process your personal information. You are not obligated to provide your consent – it is entirely voluntary. If such circumstances were to arise, and your consent was freely given, the lawful basis for our processing of your personal information would be reliance on that consent, but only for the processing in respect of which that consent was given.

1.6 Processing special categories of personal information

We may gather special categories of personal information directly from you or from other sources, for example your ethnicity may be apparent from your passport. We may also collect information about criminal convictions and previous offences, including any actual or suspected fraud, money laundering or other crime(s), as part of our checks, processes and controls for the detection or prevention of financial crime.

In each case, we will process special categories of personal information in a manner that is proportionate to the aim of the processing, and in accordance with suitable measures designed to safeguard your interests and fundamental rights.

1.7 Automated decision-making

We do not carry out any automated individual decision-making using your personal information. As our relationship is with the organisation for whom you work, we are unlikely to make any decisions about you at all, but if we were to make a decision which could have a negative impact on you, any such decision would be made by a human being and not a computer.

1.8 Direct marketing

We do not undertake any direct marketing using your personal information.

2 Disclosure of personal information to third parties

2.1 How we might disclose your personal information to third parties

We may disclose your personal information within the Norinchukin group (for example to Norinchukin Personnel) and to affiliates (including, for example, the provision of loan finance to the organisation for whom you work).

We may also disclose your personal information to other organisations and businesses who provide services to us, for example:

  • back up and server hosting providers, IT software and maintenance providers, mobile telephone management providers, document storage providers and suppliers of other back office functions (such as brokers or dealing platform providers for our trading activities with market counterparties for whom you work or on whose behalf you execute such trades);
  • our legal and other professional advisors (including our auditors and financial advisors), subject to legal (including contractual) confidentiality obligations or duties;
  • Governmental, legal, regulatory or similar authorities, ombudsmen, or Governmental agencies, or those acting on their behalf (including for the purposes of reporting any actual or suspected breaches of applicable law or regulation);
  • any relevant claimant, complainant or other third party enquirer, law enforcement agency, ombudsman, regulatory authority or Court, for the establishment, exercise or defence of our legal rights;
  • any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (including for the purposes of safeguarding the vital interests of any individual, such as the prevention of threats to public security);
  • any third party buyers or their professional representatives as part of any restructuring or sale of our business or assets; and/or
  • third party Processors (such as payment service providers).

Although it is extremely unlikely in practice, there may be circumstances in which we are also required to disclose your personal information to anti-fraud services or credit reference agencies as part of our legal obligations, to the extent that your personal information is required to be disclosed as part of a required disclosure relating to the organisation for whom you work.

If we engage a third party Processor to process your personal information, the Processor will be subject to binding contractual obligations which include: (a) an obligation to have in place measures to protect the confidentiality and security of personal information, and (b) an obligation to only process the personal information in accordance with our prior written instructions.

2.2 International transfers of personal information

We may need to transfer your personal information to affiliates and third parties who are located outside of the United Kingdom (UK) and/or European Union (EU) in connection with the purposes described above in this Policy. For example, our business email services are provided in Japan.

When your personal information is processed within the UK or the EU it is protected by the UK GDPR or the EU GDPR (as applicable). Some transfers of your personal information may be to other countries that have different data protection laws, regulations and compliance requirements, and some of these might be to a lower standard than the protection and safeguards provided under the UK GDPR and EU GDPR.

Where we transfer your personal information outside of the UK or EU, we will only do so where:

  • there has been an adequacy decision in respect of the importing country by the European Commission or the UK Government (as applicable);
  • there is an adequate safeguard in place, for example the EU Standard Contractual Clauses and/or the UK International Data Transfer Agreement are in place with the importing entity; or
  • the transfer is otherwise permitted under applicable data protection laws.

3 The steps we take to safeguard your personal information

3.1 Data minimisation and accuracy

We take reasonable steps to ensure that:

  • the personal information that we process is limited to that which we reasonably require in connection with the lawful bases described in Section 1.5; and
  • the personal information that we process is accurate and, where necessary, kept up-to-date.

3.2 Data security

We have implemented appropriate technical and organisational measures, in accordance with applicable law, designed to protect your personal information against:

  • loss or unauthorised disclosure;
  • unauthorised access;
  • alteration; accidental destruction or unlawful destruction; and
  • any other unlawful or unauthorised processing.

3.3 Data retention or storage

We take reasonable steps to ensure that your personal information is only processed for the minimum period necessary. We will store or retain your personal information by applying the following criteria:

  • for as long as we retain an ongoing relationship with you (for example, for as long as you are on the mandate or a key relationship contact for the organisation for whom you work);
  • for as long as is necessary for us to fulfil, or in connection with, any lawful basis described in Section 1.5 (for example, where you are named in or a signatory to a contract between us and the organisation for whom you work, or provide identification or verification information as part of the implementation and ongoing management of that contractual relationship, for as long as we have a legitimate interest in processing the personal information for the purpose of operating our day-to-day business in performance of that contract, or where we have a legal obligation to retain your personal information arising out of the delivery or existence of that contract);
  • for as long as is required by a data retention obligation or data destruction prohibition under applicable law or as expected by our regulators or by other applicable or relevant standards or guidance; and/or
  • for as long as is required under any applicable legal limitation period (for example, the period during which a legal claim could be brought in respect of which your personal information might be relevant). Where a relevant legal claim is brought, we may continue to process your personal information for such additional period as is necessary in connection with that claim.

We shall apply whichever is the greater duration of the above criteria that are applicable to the information in question and the purpose for which it was processed.

4 Your rights

4.1 Rights which may apply

Depending on which: (a) data protection laws apply to the processing of your personal information; and (b) of the lawful bases described in Section 1.5 apply to the processing of your personal information, you may have one or more of the following rights regarding the processing of your personal information.

  • The right to be informed about the processing of your personal information. This Policy fulfils that right;
  • The right to obtain access to any personal information that we hold about you and certain prescribed information about how we process it – this is more commonly known as submitting a “data subject access request” or “DSAR” – the purpose of this right is to enable you to obtain confirmation that your personal information is being processed, access to your personal information, and other supplementary information about how it is processed, all this is to ensure you can be aware of and can verify the lawfulness of the processing;
  • The right to request that we, without due delay, rectify your personal information if it is inaccurate or incomplete;
  • The right to request that we erase your personal information (also known as the “right to be forgotten”) – this right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected, circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, or where you object to processing and there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation. Such request will be refused where lawful and permitted under applicable law, for instance where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims;
  • The right to restrict the processing of your personal information, for instance where you contest it as being inaccurate (until the accuracy is verified); where you consider that the processing is unlawful and where this the case; and where you request our use of it is restricted; or where we no longer need the personal information;
  • The right to object to processing of your personal information – this right provides individuals with a right to object to (among other things) processing where the lawful basis relied upon is legitimate interests; and
  • The right to lodge complaints with any applicable Data Protection Authority regarding the processing of your personal information by us or on our behalf.

4.2 Rights which apply where consent is the lawful basis for the processing

Although we are unlikely in practice to process your personal information on the basis of your consent, where we do so, you have the right to withdraw, limit or modify your consent.

4.3 Other rights which might apply

Although the following rights are unlikely to apply in practice, because: (a) we do not undertake any direct marketing, profiling or other forms of automated decision making in relation to your personal information; and (b) we do not have a direct business relationship with you, we have set out the additional rights which might apply in some circumstances, for your information:

  • Rights relating to automated decision making about you including profiling (as may be the case) if this has a legal or other significant effect on you as an individual – this right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention; and
  • The right to data portability in certain circumstances including where the personal information is processed by us based on consent or on a contract and by automated means (as relevant). This is the right to receive personal information in a structured, commonly used and machine-readable format and/or request that we transmit your personal information to a third party where this is technically feasible. Please note that this right is not absolute – it applies in certain circumstances only. This right allows you to obtain and reuse your personal information for your own purposes across different services without hindrance to usability. It is important to understand that this right is different from the right of access (see above) and this means that the types of personal information that you can receive through the right of portability are different to the types of personal information you could receive under the right of access. Under this right you can only receive personal information that you have provided to us (either directly or via a third party) and where the lawful basis for the processing is one of the following: (a) consent (or explicit consent in the case of special category personal information); or (b) necessary for the performance of a contract between you and us (or in order to take steps at your request prior to entering into a contract with us); and the processing is carried out by automated means. In summary this means that you are not able to obtain through the data portability right all of the personal information that you are able to obtain through the right of access.

4.4 Exercise of your rights

To exercise one or more of these rights, please use the contact details provided in Section 5 below.
You can find out more information about your rights by contacting the relevant Data Protection Authority in your jurisdiction.

5 Contact us

If you need or want to contact us about any of the information in this Policy or any other matters relating to our Processing of your personal information, please contact your normal business contact or by writing to us at the address below and marking your correspondence “UK & EMEA Privacy”.

Controller Contact details

The Norinchukin Bank, London Branch

4th Floor, 155 Bishopsgate, London EC2M 3YX

Norinchukin Bank Europe N.V.

Gustav Mahlerlaan 1216, 4th Floor, 1081 LA Amsterdam

6 Defined terms

Controller

the entity that has decision-making ability (whether by itself or jointly with others) over the purposes and means of the processing of the personal information

Data Protection Authority

an independent public authority that is tasked by law with overseeing compliance with data protection laws. In the UK, for example, the Data Protection Authority is the Information Commissioner’s Office, or ICO:
https://ico.org.uk/

EU GDPR

means the General Data Protection Regulation (EU) 2016/679

personal information

has the meaning described in Section 1.1

Personnel

any prospective, current or former employee, officer, worker, contractor, secondee or other personnel of any kind (and whether temporary or permanent, paid or voluntary)

process, processes, processed or processing

anything operations or set of operations performed on personal information, including the collection, organisation, structuring, recording, retention or storage, use, alteration, retrieval, disclosure, dissemination, transfer or transmission, restriction, erasure or destruction of personal information

Processor

a person or entity that processes personal information on behalf of the Controller

special categories of personal information

special categories of personal information as described in more detail in Section 1.1

UK GDPR

means the EU GDPR as incorporated into UK law in accordance with the European Union (Withdrawal) Act 2018

pagetop

We only use common cookies from Google Analytics on our website to confirm access status. By using the site you agree to our placement of cookies. You can disable cookies by adjusting the settings on your browser. Find out more about our cookies policy here.