GDPR: The General Data Protection Regulation

Just click on the question you are interested in below.

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that updates existing EU laws to strengthen the protection of “personal data” (any information relating to an identified or identifiable natural person, so called “data subjects”) in light of rapid technological developments, the increasingly global nature of business and more complex international flows of personal data. It replaces the current patchwork of national data protection laws with a single set of rules, directly enforceable in each EU member state.

The GDPR was approved by the EU Parliament on April 14 2016 and came into effect on May 25 2018.

The new legal framework mainly affects businesses offering goods or services or performs monitoring of EU-based individuals, be it these are customers, prospects, contractors or employees. It also affects any businesses located outside the EU, which hold or process personal data of individuals residing within the EU.

The main changes in the GDPR are:

  • The legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, audio recordings, etc
  • The definition of Personal Data has changed to include location data and online identifiers
  • The definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • The term Sensitive Personal Data itself changes to Sensitive Category Data (SCD) that data subject rights are extended and improved
  • The requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times.
  • The introduction of compulsory data breach notification
  • Increased fines for data, and notification, breaches
  • The requirement for transparency and accountability
  • Increased responsibility of data processors for data processing

We will still keep this regulation once the UK leaves the EU for two reasons:

  • this regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and
  • when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other member states are using to regulate data processing. The Data Protection Bill 2017 is currently going through the Parliamentary process.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The controller is the one who collects the data from the data subject.

The processor is an entity which processes personal data on behalf or upon the request of the controller.

As a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

For example, Cynergy Bank is a controller while an external vendor of the bank, such as an IT company, is a processor.

Personal data are any information relating to an individual, whether it relates to his or her private, professional or public life. It can be a name, an address, a telephone number, an email address, bank details, or an IP address or a combination of them.

Special categories of personal data, also known as sensitive category data, which uniquely identify a person, are classified in the GDPR as sensitive data, like genetic and biometric information. Sensitive data are under very strict processing restrictions, like the stricter handling of that data such as the need to provide explicit consent.

Processing means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies that the EU data protection law is likely to apply wherever an organisation does anything that involves or affects personal data.

If an organisation holds information on individuals, they must provide a detailed explanation on these, such as information they hold on them, how their data is processed and where it is kept. This can be done through a privacy statement or notice which should be made publicly available. The GDPR accordingly states that this statement should be clear, easy to access and free of charge.

The Privacy policy for the Cynergy Bank can be found here.

GDPR safeguards personal data by ensuring they are processed in a manner that ensures their security, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage. Organisations should have appropriate technical or organisational measures in place to prevent such personal data leaks or unlawful processing.

Organisations are required to appoint a Data Protection Officer (DPO) if its main activities involve the processing of personal data on a large scale and/or involve continuous monitoring of personal data.

Our Data Protection Officer (DPO) can be contacted at

GDPR: Data Subject rights

Just click on the question you are interested in below.

You have the right under the General Data Protection Regulation (GDPR) to request to see the personal data Cynergy Bank holds about you. This is called a Data Subject Access Request (DSAR).

A DSAR is not designed to deal with general enquiries or questions that you may have about your account, for general queries please contact Customer Services on 0345 850 5555 (+44 (0)20 3375 6422 from outside the UK). We can then aim to provide you with the information you require, quickly, without you having to make a formal request.

DSARs can be specific and targeted by you to answer a specific question regarding the personal data we hold on you. We always prefer if you specify the information you are hoping to receive so we can turn around your request in the quickest time possible and not waste your time by providing you with too much information.


To make a Data Subject Access Request, you can submit it via the following options;

a) Download the Data Subject Access Request form or the Employee/Former Employee Subject Access Request form, complete it and send it to;

Data Subject Access Request (DSAR)
Customer Service
Cynergy Bank Limited
PO Box 80030
London EC4P 4NG

b) Contact our Customer Service Team on 0345 850 5555 who will talk you through the process and lodge the request on your behalf.

If we need more details to help us find your information or identify you, we will contact you. Once we have all the necessary information, we will respond to your request within 30 days.

We must confirm your identity using our standard identification procedures before any information is released; this is to ensure that personal information is not inadvertently released to the wrong person.

No. The first request is free of charge. However, for any further requests or copies, we may charge a reasonable fee based on our administrative costs.

Your privacy is important to us. Therefore, as with any banking transaction, it is important that the bank is sure of your identity (the data subject) before processing a request and releasing information. The ID that you will need to provide is listed below;

Original or certified address verification and certified identification documents which are acceptable include:

  • Utility bill (dated within the last 3 months) (mobile phone bills not accepted)
  • Council tax bill (for the current year)
  • Bank statement (dated within the last 3 months)
  • Mortgage statement from a recognised lender for the current year
  • Driving license, which shows your current address
  • Passport

We can accept photocopies of ID but these must be certified and stamped either by a Cynergy Bank employee, an accountant, solicitor or an independent financial advisor. It has to be clear that the ID has been certified by one of these people, providing their name and business address.

If you are acting on behalf of the data subject you are still required to provide the above documentation on behalf of the data subject so that we can validate them and their signed authority for you to act on their behalf.

You should provide the above information to the Cynergy Bank either by post or in person at the address detailed above (see “Q. How do I make a Data Subject Access Request”).

Please note, we do not recommend that you send the documentation by email as the Cynergy Bank cannot guarantee the security of doing so. If however, you still wish to, you do so as at your own risk and the Cynergy Bank shall not be held liable for any loss that may be suffered as a result.  

The legal requirement is for the request to be completed within 30 calendar days. However in some cases it may take longer for us to process your request, for instance if your request is not clear and we require further information from you.

In accordance with the regulation, we reserve the right to seek additional information from you which would enable us to process your request. Should this be the case, it may be necessary to extend the 30 day period and we will be in touch to inform you of the reasons for this. We will also advise you of any further clarification or information we require. The 30 days for processing your DSAR will then commence from the date we receive this additional information from you.

When your application is received, it will be checked to ensure that we have received all the correct, requested documentation.

If your request is incomplete then we will contact you requesting more information before we accept your request.

Where the request is not valid, we will write to you, returning your request, along with a reason for not accepting the request. You then have the option to submit a new request with the corrected information.

Where the request is correct and we have received satisfactory ID, Cynergy Bank will issue out an acknowledgement letter or email to you and confirm the latest date by which you should receive a copy of the information we hold (if any). Where no information is held, you will receive a letter to confirm this.

You only have right to access your own personal data under the regulation. We will not provide personal data about any other individual e.g. your family, friends except in the following circumstances:

  • You have their written permission to do so (and you can evidence this to our satisfaction).
  • You are a parent requesting information about a child under 16 that you have legal responsibility for; however, there is no automatic right to the data. If a child is old enough to give informed consent and understands the contents of the information, the Bank will be guided by their wishes. In all cases, disclosure would only occur if it is in the best interests of the child.
  • A solicitor/accountant is requesting information on behalf of a client - a signed authority form from the person concerned is required.
  • An agent (i.e. a family member) has written authorisation or power of attorney to act on behalf of the person.
  • You have a court order authorising you to make the request (e.g. police request)

If none of the above apply you are unlikely to be able to make a DSAR on their behalf.

You can request to receive your information via post to your address or collect from our North London office. We prefer if you are able to collect information from our office as this is more secure and minimises the risk that information may be lost or delayed. Please state your preference when raising your request.

If you are dissatisfied with information you have received, you can request us to review the information in the first instance. If you have reason to believe that there are specific documents missing from your disclosure, it will help us investigate if you can list them or provide us with more information about the location of those documents.

Following that, if you remain dissatisfied with our response, you are entitled raise a Complaint or refer the matter to the Information Commissioner’s Office.

The ICO is the national regulating agency for matters associated with data protection and may undertake to investigate on your behalf. Should you wish to avail yourself of this option, the ICO can be contacted in the following ways:


Phone: 0303 123 1113


Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate)

Please note that some historic data may no longer be held due to our data retention policy e.g. information on closed accounts or some financial products is destroyed 7 years past their closure date.

If you are submitting a data subject access request relating to an ongoing appeals process or another kind of ongoing review, some of this data may be considered exempt from disclosure. If this is data that you have directly requested, we will ordinarily inform you that we have considered that particular document exempt from disclosure. We will normally be able to disclose these documents once the appeals process is over.

Please check your email and post to see if you received a letter from us asking for more information. For example if you did not send the right ID we will have contacted you to ask for this. The time to comply does not start running until we have confirmed the identity of the Data Subject.

Please check and see if we have asked you for clarification for example if what you are asking for was not clear. If you have checked and we are not waiting to hear from you with ID, or to clarify then:

  • Contact the person who sent the acknowledgement letter/email to ask them for a progress update.
  • If you haven’t heard back from the bank at all, please contact us on with as much information as possible and we will look into it for you.

We’re sorry to hear that. If you’d like to ask for a review of how your DSAR was handled please contact our Data Protection Officer directly on or speak with one of our Customer Service agents our helpline explaining clearly and concisely why you are unhappy. We will review the DSAR and your concerns and then write to you with our findings.                                   

If you have already had a review and are still dissatisfied you can complain to the Information Commissioner’s Office on the details provided in above.

GDPR: Marketing consent

Just click on the question you are interested in below.

Cynergy Bank likes to keep its customers up to date with marketing information we think will be relevant to you. With the introduction of the General Data Protection Regulation (GDPR) we will need your permission to continue to contact you about our latest offers, products and services.

When you apply for Cynergy Bank products and services, you will be required to select how you would like to receive marketing information from us. If you do not make any selections you will no longer receive marketing information from us after 25 May 2018.

If, at any time you want to update your marketing preferences please contact Customer Service by phone or secure message on Online Banking.

We may also ask you to confirm or update your marketing preferences if you apply for any new products or services with us in future. We may also ask you to do this if there are changes in the law, regulation, or the structure of our business.

You will no longer receive marketing information from us after 25 May 2018 if you do not update your marketing preferences.

Your consent to receive marketing communications from us will expire automatically every three years in line with the Bank’s Policy. The bank will require a refresh of consent from you after three years. 

Yes, you can withdraw your consent at any time by contacting Customer Service by phone 0345 850 5555 (+44 (0) 20 3375 6422 from outside the UK) or secure message on Online Banking. Please note if you do not update your marketing preferences, you will no longer receive marketing information from us.