DATA PROTECTION NOTICE – INDIA
1. Your personal information
Your personal information (such as information that identifies you or can be used to identify you, for example your name, date of birth and contact details) is protected by the Information Technology Act, 2000 (the IT Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Rules). For the purposes of this Data Protection Notice, personal information includes sensitive personal data or information as defined in the IT Act and Rules. This Data Protection Notice explains how we will use your personal information. This includes personal information we obtain from you, your employer or other parties, as well as information about your use of the account, your card and any transactions made with your card (including the date and amount of such transactions) and our communications with you.
For the purposes of the IT Act and Rules, Bank of America, National Association is the data controller in respect of your personal information and references to "we", "us" or "our" in this Data Protection Notice are references to Bank of America, National Association.
2. How we use your personal information
We will process and record your personal information:
- to administer your card and account and provide services to you;
- to facilitate transactions;
- to comply with the rules of any relevant card scheme;
- to carry out, monitor and analyse our business;
- as part of the sale, merger or similar change of our or any Bank of America Corporation business;
- to comply with any laws, rules or regulations (including anti-corruption and bribery laws, anti-terrorism laws and anti-money laundering laws) in any country; and
- to detect, prevent and investigate fraud.
In processing your personal information, we may transfer it outside India to other countries, including countries which may not have equivalent data protection laws to those in India, including the United States of America. We are responsible for making sure that any such transfer is made in compliance with the IT Act and Rules.
Note: To comply with the Prevention of Money Laundering Rules 2005 (as amended), we must collect your Aadhaar information and carry out authentication in accordance with the Aadhaar (Authentication) Regulations 2016 which involves sharing of your Aadhaar and other identity information with the Unique Identification Authority of India (and its authorized representatives). Aadhaar information will be processed or disclosed only in relation to these purposes or any future use mandated by the relevant authority(ies) and/or law. Aadhaar information will be stored and protected in accordance with applicable regulations.
3. Recipients of your personal information
We may disclose your personal information (including details of your transactions) to:
- any person or company working for us (including professional service organisations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
- any of our group companies, offices or branches;
- your employer or any group company of your employer;
- any person or company that provides products or services to you or your employer in connection your card or account (including International SOS and Mastercard);
- any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer;
- any payment system under which we issue your card or account; and
- any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism.
If you have given false or inaccurate information or we suspect fraud we will record this and may pass this information to fraud prevention and law enforcement agencies.
If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside India) in order to detect and prevent terrorism.
4. How long we will keep your personal information
We will keep your personal information for no longer than is necessary for the purposes described in this Data Protection Notice or to meet legal and regulatory requirements.
5. Your rights in respect of your personal information
You have certain rights under the IT Act and Rules, including the right to request a copy of the personal information we hold about you and seek the correction of such information and the right to withdraw your consent to the processing of your personal information.
To request a copy of your personal information, please email Global Card Services at firstname.lastname@example.org. The requested information shall be provided free of charge within the limit of one request per year. If you have any questions about this Data Protection Notice, or if you wish to access, update or correct your personal information or withdraw your consent to the processing of your personal information in accordance with this Data Protection Notice, please email Global Card Services at email@example.com. Please note that if you withdraw consent, we may still be permitted to hold and process some of your information as required or permitted by law. Additionally, upon your withdrawal of such consent, we will immediately terminate your card.
DPN India (v5) November 2017