Privacy Notice

Melli Bank Plc is incorporated in England and Wales with registration number 04152338. It has a branch in Hong Kong and a Representative Office in Tehran. Melli Bank Plc is authorised by the Prudential Regulation Authority, and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

In this Privacy Notice, any reference to “the Bank”, “we” or “us” means Melli Bank Plc. The Bank is the data controller of your personal data which is collected or generated by it. The website http://www.mellibank.com (referred to in this Privacy Notice as the “Website”) is owned and operated by the Bank.

We are committed to protecting and respecting your privacy. This Privacy Notice (together with any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

This Privacy Notice applies to customers, potential customers, visitors to our premises, and suppliers and service providers. This Privacy Notice also applies to all current or prospective employees, directors, officers and consultants. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

If you are a customer or prospective customer, we may collect and process the following types of personal data about you in connection with establishment of a business relationship including (but not limited to) opening, operating and managing your accounts with us:

• Contact Details: name, postal address, email address, and telephone number;
• Identity Verification and ‘Know Your Client’ Information: nationality, country of birth, visa status, passport or national ID, driving licence photocard, date of birth, proof of address, source of income and source of wealth;
• Corporate Customers: names of directors, major shareholders and beneficial owners; and associated proof of identity, power of attorney and signatory information;
• Account Opening Information: financial and banking information and history;
• Correspondence and Communications: Records of correspondence between us, and audio recording made of telephone calls between us (where we are legally required to do so or where we have obtained your permission);
• CCTV Footage: If you visit premises of the Bank, images of you may be captured by our CCTV systems, which operate for the safety and security of our staff and customers;
• Other Personal Data: We may keep records of any other information which is your personal data and which you have provided to us when you have contacted us or met our staff, or in the course of any correspondence with you.

If you are employed or engaged by a supplier to the Bank, we may collect and process the following types of personal data about you:

• Contact Details: name, postal address, email address, telephone number and job role.
• Correspondence and Communications: Records of correspondence between us.
• CCTV Footage: If you visit premises of the Bank, images of you may be captured by our CCTV systems, which operate for the safety and security of our staff and customers.
• Other Personal Data: We may keep records of any other information which is your personal data and which you have provided to us when you have contacted us or met our staff, or in the course of any correspondence with you.

If you are an employee, director, officer or consultant of the Bank, or a job candidate applying for a position at the Bank (in any of those capacities), we may collect and process the following types of personal data about you in connection with your employment or your application for employment:

• Contact Details: name, postal address, email address and telephone number.
• HR Information: biography or CV, educational and academic history and achievements, work history, references from previous employers, date of birth, country of birth, nationality, emergency or next-of-kin contact information (name, relationship to you, telephone number, email), documents to verify your identity, visa status and entitlement to work and bank details.
• Diversity and Equal Opportunities Information: gender, sexual orientation, ethnicity and religion.
• Health Information: disabilities, health conditions, health assessment results, sick leave, employer-provided wellbeing and counselling courses and records.
• Compensation & Benefits Information: salary, bonuses, overtime pay, pay rises and history, pay grades, health insurance, retirement plans, pension, paid time off, unpaid time off, parental leave, bereavement leave, jury duty and other statutory leave, wellness programs, training, gym memberships and other benefits.
• Employment Information: position, department, job description, start date, employment details and status (full-time, part-time, contract, etc.), work location, training record, performance appraisals, attendance and time-keeping, disciplinary and grievance records, resignations, retirements, terminations and redundancy.
• Legal & Compliance: tax status, background checks (criminal, financial, and employment verification reports), job responsibilities, confidentiality obligations, termination conditions, and other records required to demonstrate compliance with legal and regulatory standards, used for audits and work eligibility checks.
• Correspondence & Communications: Records of correspondence between us.
• CCTV Footage: If you work within the Bank’s premises, images of you may be captured by our CCTV systems, which operate for the safety and security of our staff and customers.

If you are a visitor to our website, in circumstances in which we use cookies (or similar technologies) on our website, (with your permission, where required by law), we may collect and process details of your visit and your website browsing activity, your IP address, browser type and operating system and geolocation.

We may collect, receive and process personal information from you in the following ways:

• When you make a telephone call or send an e-mail or correspondence to us, to seek information about our services or to apply to open an account, or in connection with any services you are offering or providing to us;
• When you visit our Bank premises (whether in connection with services we provide to you, or services which you provide to us, or whether as a visitor, or otherwise);
• When you use our services or benefit from our services in any way including but not limited to opening personal bank accounts, corporate bank accounts, taking a loan and other financial benefits;
• Through making an application to open an account even if the application has been unsuccessful;
• In connection with your recruitment and employment with us;
• Through making a job application even if this application has been unsuccessful;
• Through our use of cookies (or similar technologies) on our website.

We do not carry out email marketing campaigns or any other direct marketing activities, and we do not maintain any customer marketing lists.

The purposes for which we use your personal data, and the legal basis under data protection laws on which we rely to do this, are explained below.

• Where you have provided consent

We may use and process your personal information where you have consented for us to do so.

• Where there is a legitimate interest

We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:

• to verify and assess your financial status, creditworthiness, assets, income, personal circumstances, account dealings or and other relevant aspects of your customer relationship with us, in the course of operating as a bank, including to verify your identity and status in connection with any account opening;
• for analysis to inform our marketing strategy, and to enhance and personalise your customer experience;
• to correspond or communicate with you;
• to verify the accuracy of data that we hold about you and create a better understanding of you as a customer;
• for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
• for prevention of fraud and other criminal activities;
• to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
• to assess and improve our service to customers through recordings of any calls with our contact centers;
• in respect of employees, directors, officers and consultants of the Bank, in connection with the management and administration of our recruitment, employment, HR, pay and benefits processes and procedures;
• for the management of queries, complaints, or claims; and
• for the establishment and defence of our legal rights.

• Where there is a legal requirement

We will use your personal information to comply with our legal obligations:

• to assist or respond to any regulatory authority to which we are subject;
• to identify you when you contact us; and
• to verify the accuracy of data we hold about you.

• Where it is required to complete or perform a contract

We may use and process your personal information where we have supplied you (or continue to supply you) with any products or services, or where you are in discussions with us about any new product or service. We will use this information in connection with the contract for the supply of products or services when it is needed to carry out that contract or for you to enter into it.

The data that we collect from you may be transferred to, and stored at, our servers in the UK. It may also be processed by organisations based in the UK or the European Economic Area (the “EEA”) who are engaged by us and who process your personal data on our behalf. These organisations, whom we refer to as our processors, are typically IT, HR or other service providers to the Bank.

Occasionally we may need to transfer your personal data to a processor engaged by us which is based in a country located outside of the UK and EEA. In these cases, we shall ensure that appropriate safeguards are in place for that transfer and storage as required by data protection law. These safeguards are designed to ensure that your privacy rights continue to be protected, to the same extent as if the processor was based in the UK or EEA. The steps taken include imposing contractual obligations on the processor, and where relevant imposing additional security measures. This is because some countries outside of the UK and EEA do not have data protection laws which are equivalent to those in the UK and EEA.

Our Hong Kong branch, located outside of the EEA, has its servers based in the UK. Therefore, data of our Hong Kong customers are kept within the protection provided by the data protection law of the UK. Customer data of the Bank may, as a result of these arrangements, be accessible by members of staff of our Hong Kong branch from time to time.

We retain the personal data processed by us in a live environment for as long as is considered necessary for the purpose(s) for which it was collected (including as required by applicable law or regulation). In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. Our retention of personal data is consistent with the Bank’s data retention Privacy Notice (as amended from time to time). Please contact us, by emailing us at the address at the end of this Privacy Notice, if you would like further details of the Bank’s data retention Privacy Notice.

We will only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data shared. When processing your personal data, we may need to share it with third parties as follows:

• Hong Kong branch: Our Hong Kong branch, which is a part of Melli Bank Plc, operates using a centralised customer account and management system which is hosted in UK servers. In these circumstances, your personal data as a customer may be transferred to our Hong Kong branch for internal operational purposes, in connection with our banking services and the management and administration of our business.
• Third party organisations that provide IT, HR or other data processing services: We share personal data with third parties who support us in providing our banking services and help provide, run and manage our internal IT systems, or who provide HR-related services or platforms to us. Such third parties may include, for example, providers of information technology, providers of cloud-based software, identity management, website hosting, management and services, data back-up, security and storage services.
• Payment providers and banks: We may share personal data with third parties who assist us with the processing of banking transactions and related services.
• Recruitment agencies and related organisations: We share personal data with external recruiters, third party providers that undertake background checks on our behalf and other entities within our group of companies.
• Auditors, lawyers, accountants and other professional advisers: We share personal data with professional services firms who advise and assist us in relation to the lawful and management of our organisation and in relation to any disputes involving us.
• Law enforcement or other government and regulatory agencies and bodies: We share personal data with law enforcement or other government and regulatory agencies, courts or other third parties as required by, and in accordance with, applicable law or regulation.
• Identity verification and credit reference providers: In compliance with regulatory ‘Know Your Client’ procedures and ‘Client Due Diligence’, we may share your information with third parties to confirm the credibility of your identity, application form and documents.Others, such as crime prevention agencies, may share your information with us, either upon our request or on a voluntary basis.
• Sharing with other third parties: Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties in order to operate our business and to provide our services.

You have a number of rights in relation to your personal data under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month from the date of your request or, if we need to confirm your identity, from the date you have provided satisfactory identity information to us.

• Accessing your personal data
  You have the right to ask for a copy of the personal data that we hold about you, which is known as a data subject access request. You may do so by emailing us at the address at the end of this Privacy Notice. Please note that we are not obliged to provide you with information which would disclose the identity of other individuals or where we have another lawful reason to withhold that information (in accordance with applicable data protection law).
• Correcting and updating your personal data
  If you change your name, address, email or any of your other contact or personal data, or you discover that any of the other data we hold is inaccurate or out of date, please let us know by contacting us in any of the details at the end of this Privacy Notice.
• Withdrawing your consent
  Where we rely on your consent as the legal basis for processing your personal data, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Notice. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
• Objecting to our use of your personal data or automated decisions made about you
  Where we rely on our legitimate interests as the legal basis for processing your personal data, you may object to us doing so. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data. If we are marketing our services to you by any form of direct marketing, you may object to this at any time and we will automatically comply with your request. You may also contest a decision of a legal or similar nature which has been made by us about you based on automated processing. In order to do this please email us using the contract details set out at the end of this Privacy Notice.
• Erasing your personal data or restricting its processing
  In certain circumstances, you may ask for your personal data to be removed from our systems. Unless there is a reason that the law allows us to use your personal data for longer, we will make reasonable efforts to comply with your request. You may also ask us to restrict processing your personal data if you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only process your personal data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
• Transferring your personal data in a structured data file
  Where we rely on your consent as the legal basis for processing your personal data or need to process it in connection with your contract, you may ask us to provide you with a copy of that data in a structured data file.

You have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner's Office (“ICO”). For further information on your rights and how to complain to the ICO, please refer to the ICO website https://ico.org.uk/concerns.

The Bank may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns and does not identify any individual.

Our website may from time to time use cookies or similar technologies to record visits to the Website. This helps us to improve the website and provide you with a good experience when you browse the Website. Please see our Cookies Policy for more information.

This Privacy Notice was last updated on 01 May 2025. We reserve the right to vary this Privacy Notice from time to time. Such variations become effective on posting on this Website.

If you wish to contact us about anything in this Privacy Notice, please send an email to one of the following addresses:

ComplianceGroup@mellibank.com – if you wish to object to any marketing

CustomerServicesdepartment@mellibank.com – if you are a customer

hrgroup@mellibank.com (CC the Head of Compliance) – if you are a current or former member of staff

info@mellibank.com – for any other enquiries.

If you wish to write to us in connection with any matter arising from this Privacy Notice or your rights as a data subject, our postal address for correspondence is 98a Kensington High Street, London W8 4SG. Please mark your correspondence for the attention of the Head of Compliance.