1. About this Privacy Statement

  • Each member of the CommBank Group collects and handles your personal information in accordance with its legal obligations, including those under the Privacy Act 1988 (Cth).

    The Commonwealth Bank of Australia and its subsidiaries (the CommBank Group) provide or distribute a wide range of banking, finance, insurance, funds management, financial planning and advice, superannuation, stockbroking and other services.

    This Statement describes how your personal information and credit information is collected and handled by the following members of the CommBank Group:

    • the Commonwealth Bank of Australia
    • Commonwealth Securities Limited (CommSec)
    • Commonwealth Private
    • CBA Services Private Limited
    • our international branches in China, Hong Kong, Tokyo (Japan), Singapore, London (United Kingdom), New Zealand and New York (the United States of America)
    • Commonwealth Bank of Australia (Europe) NV.

    If you are located in the European Economic Area or the United Kingdom, or if you are a customer of our China, Hong Kong, Singapore or Tokyo branches, you may have additional rights. See additional rights at the end of this page for more information. 

2. Collection, use and sharing

  • 2a. What information do we collect?

    We collect your personal information directly from you most of the time, however on occasion, we may also collect information about you from other people and organisations.

    We collect personal information when you:

    • enquire about, apply for, or use our products or services
    • contact us to make an enquiry or give us feedback
    • visit our website or use our digital services
    • participate in other activities we offer, such as competitions or surveys
    • talk to us or do business with us.

    While we are required to collect some types of personal information to meet our legal obligations, we do attempt to keep our collection of your personal information to what is necessary to offer you the products and services you require. Depending on those products and services, or your interactions with the members of the CommBank Group, we may collect the following types of personal information:

Types of personal information
What kinds of personal information might be involved
Personal and contact details
This may include your name, address, email address, phone number, and date of birth.
Australian Government related identifiers and identity documents
These may include your:
  • Tax File Number and country of tax residency
  • Medicare card, Australian passport, driver licence, or pension card details
  • Securityholder Reference Number (SRN) or Holder Identification Number (HIN)
  • citizenship, birth, death and marriage certificates (for example, to verify your identity).
Foreign government identifiers and identity documents
This may include foreign government identity documents and identifiers such as:
  • tax identification number and country of tax residency
  • foreign passport and driver licence (for example, to verify your identity at the time you request a product or service).
Financial information
This may include:
  • details of your employment, income, assets, financial liabilities
  • copies of bank statements and credit card statements from other financial institutions
  • information from third parties about your credit history and insurance claims history.
Credit information
See Credit Reporting (Your credit information, Section 4) for the types of credit information that we collect.
Transaction information
This includes information about transactions that you have made using our products and services or in relation to CommBank Group securities. For example, your credit card transactions or ATM (Automatic Teller Machine) withdrawals, or payee details.
Socio-demographic information
This may include your marital status, age, gender, number of dependents, occupation and nationality, for example when you apply for a home loan. 
Interaction information
This includes details of your interactions with us, such as when you visit a branch, call us, use our online services (such as Netbank, CommBiz or CommSec), make an enquiry, provide feedback, or make a complaint.
Digital information
We collect information from you electronically when you use our online services (such as NetBank, CommBiz, CommSec or our CommBank App). This includes information such as:
  • location information (if enabled on your device)
  • IP address
  • information about the electronic devices (computers, mobile phones or tablets) you use to access our platforms and how you use them, including details relating to your devices, their operating systems, browsers, other installed applications and settings
  • details of the wi-fi network or mobile network used by your device
  • type of authentication used (for example touch ID or face ID)
More information about the digital information we collect is available in the Privacy Collection Notice for NetBank and the CommBank app. Importantly, we do not link this information to you unless we need to access these details for fraud or security reasons. Find out more about the types of cookies we use and why.
Behavioural information
This includes information that we generate about how you use our products and services. For example, if you use our banking services, we may generate information about your spending patterns so we can help you manage your money.
Call recordings
On occasion, we monitor and record our calls with you. We will let you know if we are doing this.
Camera surveillance
For the safety of our staff and customers, we use camera surveillance, such as CCTV, to monitor CommBank premises.
Sensitive information
On occasion, we collect and handle sensitive information. This may include:
  • health information (where this is relevant to an insurance policy, claim or if you're in financial difficulty and ask for hardship relief due to illness)
  • race or ethnicity (for example we may ask you what language you speak if you request a translator to communicate with us)
  • criminal history and political affiliation, where it is relevant for our regulatory and/or legal obligations
  • Biometric information (such as fingerprints or face), where this information is Collected and Used for the purpose of automated biometric verification or biometric identification
 
Information about your personal circumstances
On occasion, we may ask you to provide information about your personal circumstances so we can support you during any financial difficulties. This may include:
  • information about significant life events (such as a relationship breakdown or a death in the family)
  • information about family and domestic violence
  • where you have been impacted by an emergency event or a natural disaster
  • any unexpected changes to your financial situation (such as losing a job or incarceration)
  • details of injury, illness, gambling or addiction.  
Publicly available information
On occasion, we may collect and handle information that is in the public domain, such as from:
  • online forums, websites, Facebook, Twitter, YouTube or other social media (for example, if you use social media to make a complaint)
  • public registers (for example, those kept by the Australian Securities and Investments Commission or Land Registry Services).  

See ‘Who do we share your information with?’ (Collection, use & sharing, Section 2C) for details of third parties we may share information with. 

  

  • 2b. How do we use your information?

    We use your information to deliver our products and services. We also use your information for other reasons, such as to better understand you, your needs, and to let you know about other products and services you might be interested in.

    Here is a list of the ways we may use your personal information. 

Purpose
How we use your personal information
Serving you as a customer
We use your information to deliver our products and services including to:
  • assess and process your applications for products and services
  • administer and manage existing products or services you have with us
  • manage our relationship with you or your business
  • improve our service to you and your experience with us
  • communicate with you or your representatives about our products and services
  • let you know about other products and services that may be of interest to you. 
Improving our business
We use your information to improve the products and services we provide through activities such as:
  • reviewing customer feedback and assessing how you use our products and services
  • testing and validating the effectiveness of products, services and system enhancements
  • monitoring and reviewing call recordings, online chats and other business activity for quality assurance, training and compliance purposes.
Managing our operations
We use your information to manage our operations including to:
  • deliver our products and services
  • make and manage customer payments and transactions
  • manage fees, charges and interest due on your products and services
  • collect and recover money that is owed to us, this may be done through third party debt collectors and debt purchasers
  • respond to complaints and seek to resolve them
  • manage our share register and security holder records.
Managing security, risk and crime prevention
We use your information to:
  • prevent, detect and investigate suspicious or fraudulent activities
  • We may also use payee details collected as part of transactions to further provide additional fraud prevention measures, and systems 
  • monitor our properties, for example using camera surveillance to ensure the safety of our people and customers
  • investigate health and safety incidents involving our people and customers
  • support the management of our information security and network controls to prevent cyber-attacks, unauthorised access and other criminal or malicious activities.
To comply with our legal obligations
Where required, we use your personal information to comply with the law, including our regulatory obligations, including to:
  • confirm your identity
  • share relevant information with law enforcement agencies, tax authorities and other regulatory bodies
  • screen applications and monitor accounts to identify criminal activity such as fraud, terrorist financing, bribery, corruption and money laundering
  • investigate financial crime.
Managing our business
We use your information to run our business in an efficient and proper way. This includes managing our financial position, business capability and planning, testing systems and processes, as well as managing communications, corporate governance, and audit.
Performing analytics activities
Sometimes we combine information we have about you and our other customers, for example transaction information, with data from other sources, such as third party websites or the Australian Bureau of Statistics. We use this information to:
  • help us understand trends in customer behaviour including how products and services are used
  • improve the products and services we offer
  • improve the quality of our data
  • develop products and services that better meet our customers’ needs and behaviours
  • understand and manage our risks better.
De-identifying information
Sometimes we de-identify your personal information, for example demographic profile information, transaction information, loan and repayment information (including security information), loan application information and savings information that we hold and use this to:
  • provide insights and analytics services to and,
  • share de-identified information with businesses and government
These services help businesses to learn about general characteristics of groups of customers, their general spending patterns, as well as spending behaviour and market share. They also help businesses to refine their marketing and targeting strategies. They help to provide economic and social insights, including to government. See an example of how we use data in this way and some of the privacy treatments we use to de-identify personal information
Sales or acquisitions
We may also use your personal information to support any changes to the ownership of products or services or the make-up of the CommBank Group. For example, we may:
  • sell, transfer, or merge parts of our business, or our assets, including products or services
  • bring other businesses into the CommBank Group
  • stop providing a particular product or service.
When we do this, we may share your personal information with other members of the CommBank Group or other parties involved, where appropriate. 
Determine your eligibility for credit
See Credit Reporting (Your credit information, Section 4) for how we use your credit information.

We may also collect, use and share your information for other reasons where the law allows or requires us to.

Direct marketing

From time to time, we may also use your personal information to tell you about products and services we think may be of interest and value to you, but we will stop if you tell us to.

We may contact you by various means, including by mail, telephone, email, SMS or other electronic means, such as through social media or targeted advertising through CommBank websites or through our online banking services.

If you do not want to receive direct marketing offers from us, you can opt-out by:

  • updating your message preference settings in your online services (such as Netbank, CommBiz or CommSec)
  • contacting us using the details in Further Information, Section 6a.

We may first require you to log into your NetBank account or otherwise identify yourself.

  

  • 2c. Who do we share your information with

    We may share your information with third parties for the reasons mentioned in How do we use your information? (Collection, use & sharing, Section 2b), or where the law otherwise allows or requires us to.

    The types of third parties are listed below. 

Type of third party
Description
Other members of the CommBank Group
We may share your information between members of the CommBank Group. You can read about how CommBank Group members may use your information in How do we use your information? (Collection, use & sharing, Section 2b).
Authorised Third Parties
We may share information with third parties where you have authorised us to do so or where we are legally required. They include:
  • third parties that you have authorised to act for you (such as accountants, financial counsellors, legal representatives, agents, mortgage brokers, financial advisors, or a person with Power of Attorney)
  • your parent or legal guardian (if you are under 14 years)
  • guarantors and other security providers.
Third Parties that can verify your information
This includes organisations that can verify information that you have supplied when applying for a product or service, or making a claim, including:
  • your employer, to verify your employment status
  • your doctor, to verify your medical history
  • other banks and financial institutions that you may have products and services with.
  • commercially available third party databases
  • credit reporting bodies and credit providers (see Your credit information, Section 4).
Our Service Partners
We may share your information with our service partners, external service providers and other organisations that help us to supply products and services. These include:
  • organisations that we partner with to supply products and services, for example, payment and shopping services, mortgage insurers, loyalty program partners and our product distributors.
  • external service providers that we engage to do some of our work for us, for example mailing houses, debt recovery agencies, legal service providers and information technology, cloud service providers and market research companies.
  • people who help us process applications and claims (like assessors and investigators).
  • organisations involved in our funding arrangements (like loan purchasers, investors, advisers, researchers, trustees and rating agencies).
  • auditors, insurers and re-insurers
  • organisations that assist us to identify, investigate or prevent fraud or other misconduct.
  • our share registry service provider
  • Organisations that provide us with information, including publicly available information, so we can tell you about products and services we think may be of interest and value to you (for example, property insights services). If you do not wish for your information to be used in this way you can tell us by opting out of receiving direct marketing communications (see 2b. Direct Marketing).
 
Strategic Referral Partners
We may share your information, with external parties with whom CBA has entered into strategic alliance or referral arrangements to enable you to inquire about the services or products they offer.
A product refers to any offering of features and benefits to a Customer.
This may include products that allow a Customer to:
  • make a financial investment (e.g. a share);
  • borrow money (e.g. credit cards, loans or bonds);
  • save money (e.g. term deposits);
  • manage financial risk (e.g. insurance); or
  • facilitate payments (e.g. BPay, clearing and settlement facilities).     

Other financial services organisation
We may collect and share your information with other banks, third party payment providers, superannuation funds and financial services providers to provide you services, for example to process your transactions, facilitate payment reversals and provide refunds. 
Government and law enforcement agencies
We may share your information with regulatory bodies, government agencies and law enforcement bodies to comply with our legislative or regulatory obligations in any of the jurisdictions where we operate.

Sending information overseas

Sometimes, we may send your information overseas, including to:

  • CommBank Group members that are located in China, India, Hong Kong, Singapore, Japan, the United Kingdom, the Netherlands, New Zealand and the United States of America
  • service providers or third parties who store data or operate outside Australia
  • complete international transactions, such as currency exchanges
  • organisations we partner with to provide products and services
  • comply with laws and help government or law enforcement agencies.

If we do this, we make sure there are appropriate privacy, data handling and security arrangements in place to protect your information.

3. Securing your information

  • 3a. Keeping your information safe

    Our staff are trained in how to keep your information safe and secure. We use secure systems and buildings to hold your information. We aim to only keep your information for as long as we need it.

    We store your hard copy and electronic records in secure buildings and systems or using trusted third parties. We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal information we hold about you.

    We aim to keep personal information only for as long as we need it – for example for business or legal reasons. When we no longer need information, we take reasonable steps to destroy or de-identify it.

     

4. Your credit information

  • We collect credit information about you when you apply or use our credit related products or services.  We may also collect credit information about you from credit reporting bodies (such as Equifax).

    What is credit information?

    Credit information is personal information that is about credit that has been provided to you or that you have applied for. This includes credit for personal purposes and credit in connection with a business. It can also cover information about you as a guarantor of a loan or as an insured party under a credit related insurance policy.

    Types of credit-related information we collect, hold and disclose

    We collect credit information directly from you or your representative when you apply for a credit related product or service, like a credit card. We also collect credit information about you from third parties, including credit reporting bodies (such as Equifax) or other credit providers (such as another bank).

    The types of credit information we collect and handle are set out below.

    Identification information

    This includes your name (including any aliases), gender, date of birth, driver licence number, current and most recent past addresses, as well as current and most recent past employers.

    Consumer credit liability information 

    This is information about any accounts that you currently have open or may have had in the past. It includes the type of account, the open and/or close date, as well as the credit limit.

    Repayment history 

    This includes a history of your repayments, including whether you have made payments when due, and if not, when overdue payments have been made.

    Financial Hardship Information

    This includes information about agreed financial hardship arrangements that you may have with us or our credit providers, both temporary and permanent. Financial hardship information will be recorded with the repayment history information.

    Default information

    Details of any defaults or serious credit infringements.

    Public information

    Public record information such as:

    • court judgments
    • directorship and business proprietorship details
    • bankruptcy, debt agreement and personal insolvency.

    Information about credit worthiness

    Information about your credit worthiness such as credit scores, credit risk ratings, summaries and evaluations.

    Why we collect and handle your credit information

    When you apply to us for credit or propose to be a guarantor, we need to know if you’re able to meet repayments under your agreement with us. We also want to avoid giving you further credit if this would put you in financial difficulty.

    We use credit information to:

    • confirm your identity
    • assess your credit applications and your ability to manage credit
    • manage credit provided to you
    • assist you to manage your credit related obligations and to consider any financial hardship requests
    • derive scores, ratings, summaries and evaluations relating to your credit worthiness which are used in our decision-making processes and ongoing reviews
    • help us collect overdue payments
    • share information with credit reporting bodies, where the law permits us to do so.

    How do we hold credit information?

    We keep your credit information with your other information. In some cases, we may need to share some of your information with organisations outside Australia (see Collection, use & sharing, Section 2c).

    More information

    It is important that we hold accurate credit information about you. To access or correct your credit information, please contact us (see Further Information, Section 6a).

    You can also contact us to make an enquiry or complaint about the collection and handling of your credit information.

  • Credit reporting bodies

    If you apply for credit or offer to act as a guarantor, we may collect or share your information with a credit reporting body. This information is used to determine your eligibility for credit.

    Credit reporting bodies include this information in their reports to help other credit providers to assess your credit worthiness (such as when you apply for a credit card or a loan). 

    We can also ask credit reporting bodies to give us your overall credit score and may use credit information from credit reporting bodies together with other information to arrive at our own assessment of your ability to manage credit.

    Direct marketing: Credit providers like us can ask credit reporting bodies to use your credit information to pre-screen you for direct marketing purposes. You can contact the credit reporting bodies if you want to stop your credit information being used for this purpose.  

    Preventing identity fraud: If you think you have been, or could be, a victim of fraud you can ask the credit reporting body not to use or give anyone your credit information.

    We collect from, and share information with, the following credit reporting bodies. For more information about how they handle credit reporting information they hold about you, please visit their websites.

    • Equifax Pty Ltd
    • Experian Australia Credit Services Pty Ltd
    • Illion Australia Pty Ltd

     

5. Accessing your information

  • 5a. Accessing, updating and correcting your information

    You can contact us and ask to view your information. For more detailed information, we may ask you to fill out a request form. If your information isn’t correct or needs updating, let us know straight away.

    How can I access my information?

    You can ask us for a copy of your information, like your statements or transaction history, by visiting a branch, going online (such as Netbank, CommBiz or CommSec) or calling us (see Further Information, Section 6a). To get a copy of the credit information we have about you, you can visit a branch or call us.

    If you would like more detailed information, please fill out the Request for Access to Personal Information Form (PDF).

    How will we handle you request?

    There is no fee to ask for your information, but sometimes we might charge a fee to cover the time we spend gathering the information you want. If there’s a fee, we’ll let you know how much it is likely to be, so you can choose if you want to go ahead.

    We try to make your information available within 30 days after you ask us for it.

    In some cases, we can refuse access or only give you access to certain information. For example, we might not let you see information that involves other people. If we do this, we will write to you explaining our decision.

    Can you correct or update your information?

    It’s important that we have your correct details, such as your current home address, email address and phone number. You can check or update your information at any branch, via your online services (such as Netbank, CommBiz or CommSec) or by calling us (see Further Information, Section 6a).

    If you think your personal or credit information is incorrect, contact us to investigate the issue (see Further Information, Section 6a).

    We’ll try to respond to your request within 30 days. If we can’t, we’ll let you know why it’s taking longer.

    If we don’t think the information needs correcting, we’ll write to let you know why. You can ask us to include a statement with the information that says you believe it is inaccurate, incomplete, misleading or out of date.

6. Further Information

  • 6a. Contact us

    If you need more information, want to access or update your personal information or if you have a privacy concern, please contact us using the contact details below.

    Personal banking

    Message us in the CommBank app or call 13 2221, 8am - 8pm (Sydney/Melbourne time)

    Overseas? Call +61 2 9999 3283

    Business banking

    Call 13 1998 any time

    Overseas? Call +61 2 9009 0593

    CommSec

    Call 13 1519

    Commonwealth Private

    Call 1300 362 081

    Overseas? Call +61 2 9115 1417

    8am - 7pm, Monday - Friday (Sydney/Melbourne time)

    Access for hearing or speech impaired customers

    TTY number: Call 133 677 then ask for 13 2221

    SMS Relay: Text 0423 677 767 (for more info, visit the National Relay Service)

    Voice Relay number: Call 1300 555 727 then ask for 13 2221

    Visit your nearest CommBank branch

    Find a branch

    Contact our international Privacy Officers

    If you’re a customer of our international branches, you can contact us on the details below.

    China 

    The Data Privacy Officer

    Commonwealth Bank of Australia, Shanghai and Beijing Branches

    Mailing Address: RM 43-031 Hang Seng Bank Tower, No. 1000 Lujiazui Ring Road, Pudong, Shanghai.

    Telephone: +86 21 61238900

    Hong Kong

    The Data Privacy Officer

    Commonwealth Bank of Australia, Hong Kong Branch

    Mailing Address: Suite 1401, One Exchange Square, 8 Connaught Place, Central, Hong Kong

    Telephone: +852 2844 7500

    Fax: +852 2845 9194

    Japan (Tokyo)

    The Data Privacy Officer

    Commonwealth Bank of Australia, Tokyo Branch

    Mailing Address: 13F, Muromachi Furukawa Mitsui Bldg 2-3-1, Nihonbashi Muromachi, Chuo-ku, Tokyo 103-0022 Japan

    Telephone: +81 03 5400 7857

    Email: Takao.Uehara@cba.com.au

    Singapore

    The Data Privacy Officer

    Commonwealth Bank of Australia, Singapore Branch

    Mailing Address: 38 Beach Road, #07-11 South Beach Tower, Singapore 189767

    Email: dpo@cba.com.au

    New Zealand

    Group Chief Privacy Officer

    Email: GroupPrivacyOffice@cba.com.au

  • 6b. Making a privacy complaint

    If you have a concern or complaint about how we have handled your personal information (including your credit information), let us know and we’ll try to fix it. If you’re not satisfied with how we respond to your complaint about how we’ve handled your personal information, there are other things you can do.

    How can you make a complaint?

    To make a complaint, contact one of our staff or customer service teams (see Further Information, Section 6a). We’ll look into the issue and try to fix it straight away.

    If you’ve raised your concern with one of our staff and are not satisfied, you can contact our Customer Relations team:

    CBA Group Customer Relations

    Webform

    https://www.commbank.com.au/support/compliments-and-complaints.html

    Phone

    1800 805 605

    +61 2 9687 0756 from overseas

    8am - 6pm, 7 days a week (Sydney/Melbourne time)

    Mail

    Reply Paid 41, Sydney NSW 2001

    If you would like further information on how we handle complaints, please visit how we manage complaints page.

    What else can you do?

    If you’re not satisfied with our response after you’ve been through our internal complaints process, you can lodge a dispute through the Australian Financial Complaints Authority (AFCA), our external dispute resolution provider.

    AFCA provides consumers and small businesses with fair, free and independent dispute resolution for financial complaints.

    Australian Financial Complaints Authority

    Visit: www.afca.org.au

    Email: info@afca.org.au

    Phone: 1800 931 678 (free call)

    Mail: Australian Financial Complaints Authority, GPO Box 3, Melbourne VIC 3001

    You can also contact the Office of the Australian Information Commissioner if your complaint is about your privacy or how we handled your credit information.

    Office of the Australian Information Commissioner

    Visit: oaic.gov.au

    Email: enquiries@oaic.gov.au

    Phone: 1300 363 992

    Mail: GPO Box 5288, Sydney NSW 2001

7. Additional rights

  • Additional rights in Asia

    Customers of our Singapore Branch

    Additional rights for customers of our Singapore Branch are set out in the Singapore Branch Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting the Singapore Data Privacy Officer (see Further Information, Section 6a).

    Customers of our Tokyo Branch

    Additional rights for customers of our Tokyo Branch are set out in the Commonwealth Bank of Australia, Tokyo Branch Privacy Policy Statement (PDF).

    Customers of our China Branch

    Additional rights for customers whose personal information will be collected, processed, stored, transmitted, disclosed and used by Commonwealth Bank of Australia in China is set out in our China Branch Privacy Notice.

    Customers of our Hong Kong Branch

    Additional rights for customers of our Hong Kong Branch are set out in the Commonwealth Bank of Australia, Hong Kong Branch Privacy Policy Statement (PDF), and the Hong Kong Branch Privacy Notice.

    Additional rights for individuals located in the European Economic Area and United Kingdom

    The European Union (EU) and the United Kingdom (UK) have local data protection laws, such as the EU General Data Protection Regulation (GDPR) and United Kingdom General Data Protection Regulation (UK GDPR), which give more rights to individuals located in the European Economic Area (EEA)  and the UK and more obligations to organisations holding their personal information. 

    If you are a customer of our UK branch or our bank in Netherlands, that organisation will be a “controller” of your personal information, which means it is responsible for compliance with the GDPR or UK GDPR as applicable. 

    In this Appendix, “personal information” means any information relating to an identified or identifiable natural person.

    Under the GDPR and UK GDPR, personal information must be processed in a lawful, fair and transparent manner. This means we must provide you with more information about how we collect, use, share and store your personal information and information about your rights in data protection law.  We have set out below this information, which is in addition to certain other information provided in the Group Privacy Statement above.

    If you are located in the UK or EEA and have an enquiry relating to your data protection rights, please contact myprivacyrequest@cba.com.au.

    What personal information do we collect?

    For details of what personal information we collect, please refer to Section 2 (Collection, use and sharing) above. 

    If we require certain information for our contract with you or because it is legally required and you do not provide this to us, we may not be able to offer you products or services, or perform our contract with you. 

    Special categories of personal information 

    Personal information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data (for example your fingerprints), or data concerning your health, sex life or sexual orientation is subject to additional requirements.  

    If we process this personal information about you, we will only process this with your consent or where otherwise lawfully permitted.

    How long we keep your personal information

    We will keep your personal information while you are a customer. We keep your personal information for only as long as we need it for the relevant purpose.

    We generally keep your personal information for up to 7 years after you stop being a customer but we may keep your personal information for longer for the following purposes:

    • To fulfil legal or regulatory obligations
    • For internal research and analytics 
    • To respond to a question or complaint

    How we use your personal information

    We can collect and use your personal information for the purposes noted above in Section 2 (Collection, use and sharing).  We must have a valid lawful ground to process your personal information, which may be one of the following lawful grounds: 

    • Contract: We need to process your personal information in order to fulfil a contract you have with us, or because you have asked us to take specific steps before entering into a contract.
    • Legal or regulatory obligations: We need to process your personal information for us to comply with applicable law or regulations (not including contractual obligations).
    • Legitimate interests: We need to process your personal information for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal information which overrides these legitimate interests.
    • Consent: We may (but usually do not) need your consent to use your personal information for a specific purpose.

     

The purposes for which we use your personal information, lawful grounds we may rely upon are as follows:  

How we use your personal information
Lawful grounds we may rely upon
Serving you as a customer
  • To perform and fulfil contracts
  • To meet our legal duties
  • For legitimate interests to enable us to perform our obligations and to provide our services to you
Improving our business
  • We have your consent
  • For legitimate interests to improve the products and services we offer, improve the quality of our data, develop products and services that better meet our customers’ needs and behaviours, and understand and manage our risks better
Managing our operations
  • To perform and fulfil contracts
  • To meet our legal duties
  • For legitimate interests to enable us to perform our obligations and to provide our services to you, to manage our risks better, and to run our business in an efficient and proper way
Managing security, risk and crime prevention
  • To meet our legal duties
  • For legitimate interests of fraud prevention and prevention of other crime, ensuring security of our network and systems and legal claims and proceedings
To comply with our legal obligations
  • To meet our legal duties
  • For legitimate interests of compliance with applicable non-UK / non-EU laws
Managing our business
  • To perform and fulfil contracts
  • To meet our legal duties
  • For the legitimate interests to run our business in an efficient and proper way, including managing our financial position, business capability and planning, testing systems and process, as well as managing communications, corporate governance, and audit
Performing analytics activities
  • For legitimate interests to help us understand trends in customer behaviour including how products and services are used, improve the products and services we offer, improve the quality of our data, develop products and services that better meet our customers’ needs and behaviours, and understand and manage our risks better
De-identifying information
  • For legitimate interests to provide insights and analytics services to other organisations, to share de-identified information with other organisations, which help organisations learn about the types of customers they have and their general spending patterns
Sales and acquisitions
  • For legitimate interests to support any changes to the ownership of products or services or the make-up of the CommBank Group
Determine your eligibility for credit
  • To perform and fulfil contracts
  • To meet our legal duties
  • For legitimate interests to enable us to assess your eligibility and affordability prior to potentially issuing credit
To market our goods/services to you
  • We have your consent 

Who do we share your information with?

We may share your personal information with other organisations within our Group or third parties as set out in Section 2 (Collection, use & sharing).

Profiling and automated decision making

We may use systems to make automated decisions (including profiling) based on personal information we have collected from you or obtained from other sources such as credit reporting bodies. These systems can evaluate your personal circumstances and other factors to predict risk or outcomes.

Our credit approval process relies on automated analysis of personal information provided by you in the application process, alongside that received from credit referencing agencies and fraud prevention agencies, to make the following decisions:

  • eligibility – whether it is appropriate to offer you credit or a loan;
  • affordability – the maximum value of the credit or loan (ie, the credit limit); and
  • the term of the credit or loan.

These automated decisions can affect the products or services we offer you.  For example, we may decide not to offer all or some our products or services to you, or we may decide how much to charge you, based on credit history and other financial information about you.

You have certain rights in relation to automated decision making and profiling, which are set out below.  

Sending  information outside the UK/EEA

Recipients of your personal information may be located outside the UK or EEA as described in Section 2 (Collection, use & sharing). 

Where we transfer your personal information outside the UK or the EEA, we will ensure that it is transferred in a manner consistent with legal requirements applicable to the information, for example:

  • we may put in place “standards contractual clauses” approved by the European Commission with the recipient, which requires them to protect your personal information; or
  • the country to which we send the personal information may be approved by the European Commission or UK; or
  • applicable law may permit us to transfer outside the UK or EEA in other ways, such as to perform a contract with you.

Please contact us if you would like more information about the appropriate safeguards, including a sample copy of the standard contractual clauses, relevant to the transfer of personal information. 

Your rights

You have a number of rights in relation to the personal information that we hold about you, although please note that in some cases, exceptions apply to the exercise of these rights and so you may not be able to exercise them in all situations.

You can exercise your rights by contacting myprivacyrequest@cba.com.au.

The right to be informed how personal information is processed

  • You have the right to be informed how your personal information is being collected and used. 

The right to withdraw your consent if we are relying on it to handle your personal information

  • If we require your consent to process your personal information you can withdraw consent at any time. If you withdraw consent, we may not be able to provide certain products or services to you. The right to withdraw only applies when the lawful basis of processing is consent.

The right of access to personal information

The right to rectification

  • You have the right to question any personal information we have about you that is inaccurate or incomplete. If you do, we will take reasonable steps to check the accuracy and correct it.

The right to erasure

  • You have the right to ask us to delete your personal information if there is no need for us to keep it. You can make the request verbally or in writing. There may be legal or other reasons why we need to keep your personal information and if so we will tell you what these are.

The right to restrict processing

  • You have the right to ask us to restrict our use of your personal information in some circumstances. We may be able to restrict the use of your personal information. In this situation we would not use or share your personal information while it is restricted. This is not an absolute right and only applies in certain circumstances.

The right to data portability

  • In some circumstances you have the right to request we provide you with a copy of the personal information you have provided to us in a format that can be easily reused.

The right to object

  • In some circumstances you have the right to object to us processing your personal information.  

Rights in relation to automated decision making and profiling

  • We may use systems to make automated decisions (including profiling) based on personal information we have collected from you or obtained from other sources such as credit reporting bodies. These automated decisions can affect the products or services we offer you. You can ask that we not make decisions based on automated score alone or object to an automated decision and ask that a person review the automated decision.  

The right to lodge a complaint with a supervisory authority

  • You have the right to complain to the regulator if you are not happy with the outcome of a complaint.  

See the ‘Regulator Contact Details’ section below for more information.

  • The individual regulator websites will tell you how to report a concern. 

Minors and children’s privacy

For certain services, we will seek parent or guardian consent to collect the details of children under certain ages.

Regulator contact details

The UK data protection authority is:

Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire SK9 5AF
UK
Visit: ico.org.uk

The Netherlands Data Protection Authority is:
Autoriteit Persoonsgegevens
Prins Causlaan 60
PO Box 93374
2509 AJ DEN HAAG / The Hague
Visit: https://autoriteitpersoonsgegevens.nl/nl

For other European jurisdictions please refer to the European Commission website for details of the relevant data protection authorities.

Things you should know

  • Policy updated: 4 September 2024

    During our relationship with you, we may tell you more about how we collect and handle your information – for example, when you fill in an application form or receive product terms and conditions. You should always read these documents carefully.

    Sometimes we update our Statement. You can always find the most up-to-date version on our website.