HDFC collects two kinds of information from the user i.e. personal and private information of the covered persons and sensitive personal data or information.

1. Personal information is any information related to a natural person directly or indirectly.
2. Sensitive personal data or information consists of information such as Passwords, Financial information such as Bank account or credit card or debit card or other payment instrument details, Physical, physiological and mental health conditions, Sexual orientation, Medical records and history, Biometric information.

Any information which is easily available on public platforms under the Right to Information Act, 2005 or any other law at the current time will not be regarded as sensitive personal data or information.

Section 3, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The privacy policy of HDFC bank says that all the information collected by the bank is used for lawful purposes. HDFC mentions that such a piece of information is not shared with any external organization unless in some situations such as:

• When it is necessary to protect the interests of the Bank.
• It is necessary for enabling the HDFC Bank to provide its services. For instance: Completion or compilation of a transaction, credit reporting etc.
• It is necessary for pursuing banking norms.
• For pursuing the terms and conditions of the HDFC Bank.
• Responding to law or regulations or any Government or court or other relevant authority’s directions or orders.

Can HDFC share users’ information without their consent?

HDFC bank mentions in their privacy policy that they may share user’s Information, without obtaining their prior written consent with certain authorities such as:

• Government agencies: In case these agencies are mandated under the law to obtain information for verification of identity, or for prevention, detection, investigation including prosecution, cyber incidents and punishment of offences, or where disclosure is necessary for complying with a legal obligation.

*The HDFC bank may disclose a piece of information to any third party under the law for the time being in force.

• Agents
• Contractors of HDFC Bank and their sub-contractors.

*Such agents, contractors, and sub-contractors are required to agree to use the information obtained from HDFC Bank only for the purposes mentioned in the contract.

Does HDFC bank retain users’ information?

Information provided by the user is retained:

• As long as the purpose of collection is not fulfilled.
• For a period required to satisfy legal, regulatory or accounting requirements.
• To protect HDFC Bank’s interests.

Does HDFC bank use cookies?

The HDFC Bank website uses cookies. Cookies are small data files that a website stores on a user’s computer. HDFC says that they use persistent cookies, which are permanently placed on the user’s computer to store non-personal information (Browser, ISP, OS, Clickstream information etc.) and profiling information (age, gender, income etc.).

*While cookies have unique identification numbers, personal information (name, a/c no, contact numbers etc.) is not stored on the cookies.

HDFC ADHERES TO A DIFFERENT PRIVACY POLICY FOR ITS DIGITAL PLATFORMS

HDFC says that they are committed to protecting the privacy of the user while they access HDFC bank’s digital platforms. Their privacy statement explains how they collect, use, share and safeguard users’ information when they use HDFC Banks’s digital platforms.

What are the digital platforms?

HDFC bank’s mobile applications, online services and other digital platforms (Payment Gateways, Digital Application Platform (DAP) and POS devices).

HDFC bank lays down that while the user uses any of the digital platforms, they expressly agree to the terms of the bank and automatically gives consent to the processing of their data.

What is the data collected by the HDFC bank?

• Personal data: Any data that identifies a user, such as a user’s name, previous names, postal address, email address, telephone number, domicile, nationality, PAN number, date of birth or account information.
• Online Activity information: Internet browser, IP address, information collected through tracking technologies, demographic information that user provides to the bank and aggregated or de-identified data.
• Location information: This information may be collected from the user’s mobile device’s location-aware features when the user requests services dependent on the user’s physical location.
• Device Information: IMEI number, contact lists (in some cases), technical Data about user’s computer and mobile device including details regarding applications and usage details.
• Biometric information: Information such as user’s fingerprint, etc. HDFC Bank says that they do not collect users’ biometric information without their explicit consent.
• Information related to the user’s occupation and financial situation: Such as the employer’s name and address. If the user is self-employed, then information as, type of account, nature and volume of anticipated business dealings, with the conventional bank licensee, income proof, bank statements, income tax returns, salary slip, contract of employment, passbook, debit card/credit card details, expenditure, assets and liabilities, source of wealth, signature, as well as user’s other bank account details.
• Generation of password or PIN in encrypted form if user requests on the Digital Platform.
• User’s photographs.
• Social relationships detail:  Such as user’s father’s name, spouse’s name and mother’s name.
• Records of other communications between the bank and the user: Email, telephone conversations, live chat, instant messages and social media communications containing information concerning the user’s grievances, complaints and disputes.
• Sensitive personal data: Such as gender, medical records and history.
• Personal data user provides to the HDFC bank about others or others provide to them about the user.

What is the purpose of collecting users’ data by HDFC bank?

The HDFC bank collects user’s data for various reasons, few those reasons are:

• To use it for ways as required and permitted by law.
• To prevent and detect crime, which includes fraud, a financial crime such as financing for terrorism and human trafficking.
• To protect their legal rights and comply with their legal obligations.
• To meet legitimate interests which are pursued by the HDFC bank or by a third party.

Does HDFC share a user’s information with third parties?

HDFC Bank shares user’s information with some third parties such as:

• Their subsidiaries and affiliate companies. To provide improved services to the user under the laws and regulations.
• Third-party service providers, vendors, data processors or the agents who perform services for the HDFC bank.
• To comply with legal requirements such as the demands of applicable warrants, court orders, to verify or enforce HDFC bank’s terms of use and other rights or applicable policies.
• To address fraud, security or technical issues, to respond to an emergency or otherwise to protect the rights, property or security of the user’s or third parties.
• Statutory and regulatory bodies and authorities: The Reserve Bank of India or the Securities and Exchange Board of India (including central and local government).
• Law enforcement authorities.
• Entities or persons, to whom it is mandatory to disclose the Personal Data as per the applicable law, courts, judicial and quasi-judicial authorities and tribunals, arbitrators and arbitration tribunal.

How does HDFC bank collect the information?

The HDFC bank mentions that they collect the information from the user while the user interacts with the bank through a device. In this process device and location information is collected by the bank.

Information is also collected,

• When a user provides their details in forms, surveys, online applications or similar online fields.
• The bank may also record details of user’s interactions with the bank including telephone conversations with their call centres and other kinds of communication.

How long the bank does retains the user’s information?

The HDFC bank mentions in their privacy policy that they may retain the user’s data for as long as:

• It is required to provide the user with services such as managing their account.
• Dealing with any legal concerns.

The HDFC bank may retain the user’s information for a longer duration, in case the bank needs the information for any legitimate purposes. For instance: fighting fraud and financial crime.

*If the bank doesn’t need to retain the information they may destroy, delete or anonymise the information

Does the bank use cookies?

HDFC Bank says, that they may use cookies to improve users’ experience when they visit the bank’s digital platform.

A cookie is a bit of electronic information that downloads to the user’s hard drive, mobile devices or another device while the user visits HDFC bank’s digital platform.

The bank may use cookies to anonymously track users’ interests and collect information about their activities. The bank does not store or transmit personal data.

There are various kinds of cookies used by the HDFC bank on its digital platform:

• Temporary session cookies are also used to facilitate customer navigation within the bank’s Digital Platform during the user’s visit.
•  Session cookies are deleted once the user closes their internet browser.
• The bank may also use persistent cookies that are retained on a user’s computer after the user’s visit ends so that the bank can identify the user’s preferences and enhance the user’s future visits to their Digital Platform.

Is HDFC bank responsible for the third party links?

HDFC Bank says that clicking on certain links within the bank’s Digital Platforms may take the user to other websites, or may display information on the device from other sites, which may not be maintained by HDFC Bank. Such sites may contain terms and conditions, privacy provisions, confidentiality provisions, or other provisions that differ from the terms and conditions applicable to Digital Platforms of HDFC bank.

*Links to other Internet services and websites are provided for the convenience of users.

The Bank denies any responsibility or liability whatsoever for the content, accuracy, reliability or opinions expressed in HDFC’s digital platform. HDFC bank mentions that it is the responsibility of the user to evaluate the accuracy, reliability, timeliness and completeness of any information available on a linked site. All the services and content obtained from a linked site are provided “as is” without warranty.

REFERENCE

Privacy, HDFC BANK ( Nov 30, 2020, 09:30 PM), https://www.hdfcbank.com/personal/useful-links/privacy

Disclaimer: “Vestralex assumes no responsibility or liability for any errors or omissions in the content of this Article. The information contained in this article is provided on an “as is” basis as sourced with no guarantees of completeness, accuracy, usefulness or timeliness. This article contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. This article and the information contained herein is not intended to be a source of advice or analysis with respect to the material presented, and the information and/or documents contained in this article do not constitute advice. All copyrights and trademarks contained herein are properties of their respective owners, any representation of such rights and marks is purely for informational purposes only. This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.”

Vestralex Winter Internship Program

Vestralex Winter Internship Program (VWIP) is an initiative undertaken by Vestralex to help raise legal literacy and general awareness about practices and procedures in law through intern participation and content  creation