LAST UPDATED: 22 March 2018
BAML Commercial Card Privacy Notice
This Privacy Notice explains how Bank of America Merrill Lynch entities collect, use and disclose personal data online and offline in connection with the provision of commercial cards, commercial payments and reporting services we provide to our corporate and institutional clients (“Services”). We refer to the individuals whose Personal Data we process, such as cardholders, travelers and individuals who work for our clients, as “you” in this Notice.
"Personal Data" is information that identifies an individual or relates to an identifiable individual, including:
- Postal address
- Telephone number
- Email address
- Date of Birth
- Passport Details and other government or state issued forms of personal identification (including social security, driver’s license, national insurance and other identifying numbers)
- Mother’s maiden name
- Bank account details
- Employee Identifier
- Device Identifier
- Telephone or electronic recordings
- IP Address
We may need to collect and process Personal Data in order to provide the requested Services, or because we are legally required to do so. If we do not receive the information that we request, we may not be able to provide the requested Services.
Collection of Personal Data
We and our agents, affiliates and service providers may collect Personal Data in a variety of ways, including:
- Through the Services: We may collect Personal Data through the Services.
- Offline: We may collect Personal Data from you offline, such as when you participate in a transaction or contractual arrangement
- From Other Sources: We may receive Personal Data from other sources, such as from your employer, from the entity we provide the Services to and from other third parties.
Use of Personal Data We and our service providers may use Personal Data for our legitimate business interests, including the following:
- to administer your card or our client’s card programme, and provide services to you or our client;
- to facilitate transactions;
- to comply with the rules of any relevant card scheme; to respond to inquiries and fulfill requests from our clients, administer their account(s) and manage our relationships;
- to verify an individual’s identity and/or location (or the identity or location of your representative or agent) in order to allow access to client accounts, or conduct online transactions;
- to protect the security of accounts and Personal Information;
- for business purposes, including data analysis, audits, developing and improving products and services, identifying usage trends and determining the effectiveness of promotional campaigns, and enhancing, improving or modifying our Services;
- for risk management, for fraud detection and prevention, including know your customer, anti-money laundering, due diligence requirements, compliance with sanction rules, fraud monitoring, and tax reporting;
- to comply with laws and regulations (including any legal or regulatory guidance, codes or opinions), and to comply with other legal process and law enforcement requirements; and
- to send administrative information to clients, such as changes to our terms, conditions and policies.
Disclosure of Personal Data
Personal Data may be disclosed to:
- any person or company working for us (including professional service organisations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
- your employer or any group of companies of your employer, or our client;
- any person or company that provides products or services to you, your employer or our client in connection with your card or transaction (including our insurer, insurance broker, card scheme, provider of value-added services, travel management company);
- any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer or our client;
- any payment system under which we issue your card, card programme or transaction;
- any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism;
- any Account Information Service Provider or other third party that you, your employer or our client authorises to receive or access data held by us;
- our affiliates for the purposes described in this Privacy Notice (a list of our affiliates is available on request); and
- our third party service providers who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, card production, printing, auditing and other services.
If you have given false or inaccurate information or we suspect fraud, we will record this and may pass this information to fraud prevention and law enforcement agencies.
If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside the United Kingdom) in order to detect and prevent terrorism.
Other Uses and Disclosures
We may also use and disclose Personal Data as we believe to be necessary or appropriate: (a) to comply with applicable law, which may include laws outside the country you are located in, to respond to requests from public and government authorities, which may include authorities outside your country, to cooperate with law enforcement, or for other legal reasons; (b) to enforce our terms and conditions; and (c) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
In addition, we may use, disclose or transfer Personal Data to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
“Other Information” is any information that does not reveal a person’s specific identity or does not directly relate to an identifiable individual, such as:
- Browser and device information
- App usage data
- Information collected through cookies, pixel tags and other technologies
- Demographic information and other information provided by you that does not reveal a person’s specific identity
- Information that has been aggregated in a manner that it no longer reveals a person’s specific identity
If we are required to treat Other Information as Personal Data under applicable law, then we may use and disclose it for the purposes for which we use and disclose Personal Data as detailed in this Privacy Notice.
Collection of Other Information
We and our service providers may collect Other Information in a variety of ways, including:
- Through a browser or device: Certain information is collected by most browsers or automatically through devices, such as a Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) being used. We use this information to ensure that the Services function properly.
- Using cookies: Cookies are pieces of information stored directly on the computer being used. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other anonymous traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize the user’s experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. We do not currently respond to browser do-not-track signals.
- Most browsers allow individuals to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to http://www.allaboutcookies.org/manage-cookies/index.html for more information. Declining cookies may cause certain parts of the Services to cease working.
- Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Services and response rates.
- IP Address: IP address is automatically assigned to a computer by an Internet Service Provider. An IP address may be identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering the Services. We may also derive approximate location from IP address.
Uses and Disclosures of Other Information
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.
THIRD PARTY SERVICES
This Privacy Notice does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates.
We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the "Contacting Us" section below.
How individuals can access, change or suppress their Personal Data
If you would like to request to review, correct, update, suppress, restrict or delete Personal Data that you have previously provided to us, or if you would like to request to receive an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), you may contact us by telephone on 00800 0456 7890. We will respond to your request consistent with applicable law.
In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the Personal Data suppressed from our database or otherwise let us know what limitations you would like to put on our use of the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping and/or regulatory purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed. We may no longer be able to provide the Services to you if you request a deletion.
We will retain Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Use of Services by MINORS
The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Data from individuals under the age of 18.
Jurisdiction and CROSS-BORDER TRANSFER
Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.
If you are located in the European Economic Area (EEA): Some non-EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here https://ec.europa.eu/info/law/law-topic/data-protection_en For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect Personal Information. You may obtain a copy of these measures by following this link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
Please do not send us any sensitive Personal Data (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) through the Services or otherwise.
UPDATES TO THIS PRIVACY Notice
We may change this Privacy Notice. The "Last Updated" legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will become effective when we post the revised Privacy Notice on the Services. Use of the Services following these changes signifies acceptance of the revised Privacy Notice.
Bank of America Merrill Lynch International Designated Activity Company, Two Park Place, Hatch Street, Dublin 2, Ireland. Registered in Ireland (No. 229165). VAT No. IE 8229165F. Registered Office: Two Park Place, Hatch Street, Dublin 2, Ireland is the company responsible for collection, use and disclosure of your Personal Data under this Privacy Notice.
If you have any questions about this Privacy Notice, please contact us on 00800 0456 7890, or:
Bank of America Merrill Lynch Commercial Card, Amadeo Financial Centre, Chester Business Park, Chester, CH4 9FE, UK
ADDITIONAL INFORMATION FOR THE EEA
Individuals in the EEA may also:
- contact us at 00800 0456 7890 with any questions about this Privacy Notice.
- file a complaint with a supervisory authority competent for your country or region.