Privacy Notice EU users

Privacy Notice EU users

This Privacy Notice outlines HDFC Bank Limited’s (“HDFC Bank”) approach to data protection to fulfil its obligations under the EU General Data Protection Regulation 2016/679 ("GDPR"). This Privacy Notice applies to personal data of the Covered Person(s) which is processed by or for HDFC Bank as a controller, whether in physical or electronic mode. In this Privacy Notice, the expressions ‘personal data’, ‘data subject’, ‘controller’, ‘processor’ and ‘processing’ shall have the meanings given to them in the GDPR.

HDFC Bank is committed to treating data privacy seriously. It is important that you know exactly what we do with the personal data you and others provide to us, why we process it and what it means to you. Please read this Privacy Notice carefully to understand our views and practices regarding your personal data and how we will treat it.

Data Privacy Matters

This Privacy Notice applies in relation to all our products and services as applicable to the Covered Persons. Your product or service terms and conditions will specify which of our businesses is providing the relevant product or service to you. If you are a customer of one of these businesses, please also read the Data Privacy Notice applicable to such respective businesses. If you have any questions about how your personal data is processed, please contact our Privacy Contact.

Who we are

Throughout this document, “we”, “us”, “our” and “ours” refer to HDFC Bank.

HDFC Bank means:

HDFC Bank Limited having its registered office at Senapati Bapat Marg, Lower Parel (West), Mumbai 400013, Mumbai, India and includes its branches in and outside India and subsidiary companies.

Website :

Our contact details are given at the end of this Privacy Notice. Should you need further details about HDFC Bank, please visit the about us page in our website.

Who is covered under this Notice (Covered Persons)?

Any natural person in relation to whose personal data (to the extent processed by or for HDFC Bank), the GDPR applies, shall be to the extent of such personal data and such processing be the "Covered Person(s)" or “You”.

The information we collect about you

The information we collect falls into various categories as under:

  • Identity & contact information

    • Name, address, signatures, biometric data, date of birth, copies of identity cards (“ID”), contact details marital status, relatives information, nomination, medical condition, PAN/TIN/Aadhaar/National ID/Social Security Number/ or its equivalent, Photograph, Gender

  • Financial details/circumstances

    • Bank account details, investments history, credit/debit card details, income details, history in relation to these.
    • Employment / occupational information.
    • Residential status under banking, general and tax laws.
    • Spending/saving/investing/payments/receipts/borrowing history.
    • Risk profile, financial objectives, financial knowledge and experience, preferences and any other information to assess the suitability of our products to you.
    • Information collected when you make or receive payments.

  • Information you provide us about others or others provide us about you

    • If you give us information including personal data about someone else (for example, information about a spouse or financial associate provided during the course of a joint application with that person), or someone gives us information about you, we may add it to any personal data we already hold and we will use it in the ways described in this Data Privacy Notice.
    • Your personal data from third party providers: In order to enhance our ability to provide relevant marketing, offers, and services to you, we obtain personal data about you from other sources with your consent, such as email service providers, public databases, joint marketing partners, social media platforms, as well as from other third parties as appropriate.
    • Information including personal data from credit information companies/ credit reference agencies, risk management and fraud prevention agencies, national and government databases.
    • Information including personal data from other parties and entities where we are a part of a transaction in one or more roles even though we may not be directly interfacing you, for example during the course of remittances being initiated by you through your bank to a beneficiary whose bank account is with us.

  • Personal data which you have consented to us using

    • Your agreement to allow us to contact you through certain channels to offer you relevant products and services.

  • Information from online activities.

    • We collect information about your internet activity using technology known as cookies, which can often be controlled through internet browsers. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Policy, which is available on our website.
    • Your digital and electronic devices where we perform various checks designed to ascertain and verify your residency to ensure we meet our regulatory obligations. These checks include identifying the IP address your device connects from and the collection of information about your use of the website or mobile app (including device type, operating system, screen resolution, and the way you interact with us).

  • Other personal information

    • Information in relation to data access, correction, restriction, deletion, porting requests and complaints.
    • CCTV images and data at our Bank branches, offices and ATMs (but only for security reasons and to help prevent fraud or crime).
    • Conversations during meetings/calls/correspondences/discussions with bank staff.

When and how we collect personal data about you?

Personal data about you is gathered or collected:

  • When you ask us to provide you with certain products and services.
  • When you use our services or products;
  • During the course of transactions;
  • When you apply for products, make enquiries or engage with us or with any other person where we are involved for any other person in the transaction concerning you
  • When you use our website and online services provided by us (including mobile applications) and visit our branches, offices.
  • When you email or call or respond to our emails/phone calls or during meetings with our bank staff or its service providers or representatives.
  • When you or others give us personal data verbally or in writing. This personal data may be on application forms, in records of your transactions with us or if you make a complaint.
  • From information publicly available about you. When you make information including personal data about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account, and where it is appropriate for us to use it

How we process your Personal Data?

Whether we’re using it to confirm your identity, to help in the processing of an application for a product or service or to improve your experiences with us, your personal data is always handled with care and the principles outlined in this Data Privacy Notice are always applied.

Lawfulness and Purposes of the processing

The lawfulness and legal basis for obtaining, processing personal data about you will be one or more of the following:

  • Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. To allow us to take actions that are necessary in order to provide you with the product / service (performance of a contract), for example, to make and receive payments
  • Processing is necessary because of a legal obligation that applies to us. It may be necessary to allow us to comply with our legal obligations, for example, obtaining proof of identity to enable us to meet our anti-money laundering obligations under applicable law.
  • Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. Processing may be required to meet our legitimate interests, for example, to understand how customers use our services and to develop new services, as well as improve the service we currently provide.
  • Where we have your consent to do so.
  • Its processing is necessary to protect your “vital interests” where we need to process your personal data and you are not capable of providing consent (emergency situations).

The table below sets out the purposes for which we use your personal data and our legal basis for doing so. Where we are relying on a legitimate interest, these are also set out below

What we use your personal data forThe legal basis for doing so (one of more under each sub-heading)
  • To provide our products and services to you and perform our contract with you
  • Establish your eligibility for our products and services.
  • Manage and administer your accounts, policies, benefits or other products and services
  • Process your applications for credit or financial services.
  • Process payments that are paid to you or by you. For example, if you hold a credit or debit card with us, we will share transaction details with our card scheme providers (e.g. Visa or MasterCard).
  • Run loyalty and reward programmes you have signed up to.
  • Contact you by post, phone, text message, email, social media, fax, using our online banking website or other means, but not in a way contrary to your instructions to us or contrary to law.
  • Monitor and record our conversations when we speak on the telephone (for example, to check your instructions to us, to analyse, to assess and improve customer service and for training and quality purposes).
  • Recover debts you may owe us.
  • Manage and respond to a complaint or appeal.
  • To undertake checks for the purposes of security, detecting and preventing fraud and money laundering, and to verify your identity before we provide services to you. These checks may reveal political opinions or information about criminal convictions or offences.

  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where it is in our legitimate interests to ensure that our customer accounts are well-managed, so that our customers are provided with a high standard of service, to protect our business interests and the interests of our customers
  • Where it is in our legitimate interests to ensure that complaints are investigated, for example, so that our customers receive a high standard of service and so that we can prevent complaints from occurring in future
  • In case of sensitive information, such as medical information, where you have agreed 
  • To manage our business for our legitimate interests
  • Carry out credit scoring, credit management
  • Provide service information, to improve our service quality and for training purposes
  • Conduct marketing activities, for example, running competitions, promotions and direct marketing (provided that you have not objected to us using your details in this way), and research, including customer surveys, analytics and related activities
  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where it is in our legitimate interests to develop and improve our products and services to ensure we can continue to provide products and services that our customers want to use and to ensure our business model remains competitive.
  • Where it's in our legitimate interests to provide you with information about our products and services that may be of interest.
  • Where we have your consent to do so.
  • To run our business on a day to day basis
  • Carry out strategic planning and business portfolio management.
  • Protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity),
  • Manage and administer our Bank’s legal and compliance affairs, including complying with our obligations to credit card providers, compliance with regulatory guidance and voluntary codes of practice to which we have committed and to comply with directive/order of any law enforcement agencies
  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • To share your information with Indian or other relevant tax authorities, Reserve Bank of India and other government authorities, credit reference agencies, fraud prevention agencies, and India and overseas regulators and authorities
  • To perform certain credit checks so that we can make responsible business decisions.
  • To assist with the prevention and detection of fraud and other crime
  • To assist overseas regulators, who monitor banks to ensure that they comply the law and regulations
  • Where the law requires this
  • Where we have a legitimate interest in performing certain credit checks so that we can make responsible business decisions. As a responsible organisation, we need to ensure that we only provide certain products to companies and individuals where the products are appropriate, and that we continue to manage the services we provide, for example if we consider that you may have difficulties making a payment to us.
  • Where we have a legitimate interest in assisting with the prevention and detection of fraud and other crime
  • Where we have a legitimate interest in assisting overseas regulators, who monitor banks to ensure that they comply the law and regulations
  • More detail on our data sharing with these organisations is set out below
  • To send electronic messages to you about product and service offers from our Bank.
  • To use transaction history/account information from your HDFC Bank account or credit card to identify your spending and saving habits in order to personalise offers that are exclusive and individual to you, based on your account transactions.
  • To use cookies in accordance with our Cookie Policy.
  • To use information you have made public and combine with this with the activities outlined above. When we ask for your consent, we will provide you with more information on how we will use your data in reliance on that consent, including in relation to third parties we would like your consent to share your data with
  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where we have your consent to do so.

When we process personal data to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and before collecting, we ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.

We will send you messages by post, telephone, text, email and other digital methods, including for example via our ATMs, mobile applications, push notifications, or online banking services (and new methods that may become available in the future). These messages may be:

  • To help you manage your account(s)
  • Messages we are required to send to comply with our regulatory obligations, such as changes to your agreements, and to give you information you need to manage your money
  • To keep you informed about the features and benefits of the products and services you hold with us
  • To tell you about products and services (including those of others) that may be of interest to you – these are marketing messages sent in accordance with your preferences. You can ask us to stop or start sending you marketing messages at any time by writing to us.

Automated processing

The way we analyse personal information in relation to our products and services including applications, credit decisions, determining your eligibility for the products or services, may involve automated profiling and decision making, this means that we may process your personal data using software that is able to evaluate your personal aspects and predict risks or outcomes as also where the decision making may be automated.

We may also carry out automated anti-money laundering and sanctions checks. This means that we may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk:

  • We may refuse to provide the services you have requested or we may stop providing existing services to you
  • A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or employment to you.

You expressly acknowledge that the automated decision is necessary for entering into or performance of contract and/or you explicitly consent to such automated decision making, hence you subject to even the decisions which are solely based on automated processing. You have rights in relation to automated decision making: if you want to know more please contact us using the details set out in the Contact Us section.


We may use cookies and similar technologies on our websites, mobile apps, and in our emails. Cookies are text files that get small amounts of information, which your computer or mobile device stores when you visit a website or use a mobile app. When you return to the websites or mobile apps – or visit websites and mobile apps that use the same cookies – they recognise these cookies and therefore your device.
We use cookies to do many different jobs, like letting you navigate between pages efficiently, remembering your preferences and generally improving your online experience. They can also help ensure that the advertisements and marketing material(“ads”) you see online are more relevant to you and your interests. We also use similar technologies such as pixel tags and JavaScript to undertake these tasks. We also use cookies in some of our emails to help us to understand a little about how you interact with our emails, and to help us improve our future email communications. These cookies also help ensure that the ads you see online are more relevant to you and your interests.

Our respective websites and mobile app terms and conditions give you more information on these technologies, how and where we use them and how you can control them.

How to manage and disable cookies?

For instructions on blocking and deleting cookies, see the privacy settings and help documentation of your specific browser’s website. If you use more devices and/or browsers, you will need to disable cookies on each device and on each browser separately. Here are the locations of the cookie settings for all major web browsers:

  • Internet Explorer – Tools > Internet Options > Privacy tab.
  • Mozilla Firefox – Tools > Options > Privacy menu.
  • Safari users – Edit > Preferences > Privacy menu.
  • Chrome users – Settings > Content Settings > Privacy > Cookies.

If you limit the ability of our websites to set cookies, this may prevent you from using certain features of our website properly and your user experience – which will no longer be personalised for you – may deteriorate. You may also be able to opt out from certain cookies through third party cookie management sites. Disabling cookies may prevent you from using certain parts of our website. If you delete your cookies from the browser, you may need to remember to re-install opt-out cookies.
In the past we would have dropped the cookies in your device when you accessed our online platforms. For removing these cookies, you will need to go to your respective browser settings in your devices and remove them.

Recipients: Who we share your personal data with:

We only share your personal data with the following persons and/or in the following circumstances,and only as may be necessary:

  • Your authorised representatives
  • Third parties we need to share your personal data with in order to facilitate payments you have requested (for example, SWIFT, credit card issuers and merchant banks) and those you ask us to share your personal data with.
  • We may also share your personal data with the following third parties to help us manage our business for our legitimate interests:
    • Statutory and regulatory bodies and authorities (including central and local government) and law enforcement authorities, investigating agencies and entities or persons, to whom or before whom it is mandatory to disclose the personal data as per the applicable law, courts, judicial and quasi-judicial authorities and tribunals, arbitrators and arbitration tribunals.
    • Overseas regulators and authorities in connection with their duties (such as crime prevention).
    • Third parties bank may engage to provide services to you.
    • Processors and service providers of HDFC Bank engaged for its various activities and services.
    • Credit information companies or Credit reference entities, identity and address verification organizations who may record and use your information and disclose it to other lenders, financial services organizations and insurers. Your information may be used by those third parties to make assessments in relation to your creditworthiness for debt tracing
    • Other banks and financial institutions, quasi governmental institutions like clearing houses, network associations etc where required in terms of contract or legal requirements
    • Transferees and assignees and potential transferees and assignees of HDFC Bank
    • Courier or postal service providers for the purpose of sending or collecting of mails to you as a customer
    • Any other person or organization after a restructure, sale or acquisition, as long as that person uses your information for the same purposes as it was originally given to us or used by us (or both)
    • HDFC Bank’s branches in India or outside India, its subsidiaries, Affiliates and group entities.

For further information, please refer to our product specific terms and conditions and application form.

Period of storage of your personal data

We will keep the personal data we collect about you on our systems or with third parties for as long as required for the purposes set out above or even beyond the expiry of transactional or account based relationship with you: (a) as required to comply with any legal and regulatory obligations to which we are subject or (b) for establishment, exercise or defence of legal claims.

Implications of not providing personal data or Withdrawing Consent

Sharing personal data with us is in both your interest and ours.

We need your personal data in order to:

  • Provide our products and services to you and fulfil our contract with you.
  • Manage our business for our legitimate interests.
  • Comply with our legal obligations.

When we request personal data, we will inform you if providing it is a contractual requirement, a statutory requirement or not, and whether or not we need it to comply with our legal obligations.

You may choose not to share personal data or withdraw consent, but doing so may limit the services we are able to provide to you (unless consent is not the only legal basis for processing and there are other legal basis as well), particularly as under.

  • We may not be able to provide you with certain products and services that you request. We may not be able to continue to provide you with or renew existing products and services if such collection or updating of personal data is a legal or regulatory requirement to which we are subject.
  • We may not be able to assess your suitability for a product or service, or, where relevant, give you a recommendation to provide you with a HDFC Bank financial product or service.

However, if you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal or the other legal basis which we may have for such processing.

Processing your personal data outside the EEA

HDFC Bank is incorporated and regulated in India, its overseas branches are regulated by host country regulations and subsidiaries are governed under applicable laws. As such, your personal data is stored on secure systems within HDFC Bank premises within India and with providers of secure information storage in India. Further, we may transfer or allow the transfer of personal data about you and your products and services with us to our service providers and other organisations outside the European Economic Area (EEA), with adequate safeguards to ensure your personal data remains adequately protected.If you need copy of safeguards provided to transferred personal data, please notify us in accordance with the “How to contact us?” section below. These jurisdictions and countries outside EEA may have different and less stringent laws relating to the degree of confidentiality afforded to the personal data and that such information can become subject to the laws and disclosure requirements of such countries, including disclosure to governmental bodies, regulatory agencies and private persons, as a result of applicable governmental or regulatory inquiry, court order or other similar process. In addition, a number of countries have agreements with other countries providing for exchange of information for law enforcement, tax and other purposes.

For example, we may process payments using third parties (including other financial institutions such as banks and the worldwide payments system operated by the SWIFT organisation)

How do we secure your Personal data?

HDFC Bank is ISO 27001:13 compliant. We seek to use reasonable organizational, technical and administrative measures to protect Personal data within our organization. However, if you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “How to contact us?” section below.

How to exercise your information rights (including the right to object)?

You have the following rights, in accordance with and subject to the qualifications and provisions under GDPR:

  • The right to request from us as the controller, the access to and rectification or erasure of your personal data or restriction of processing concerning you or to object to processing as well as the right to data portability;
  • Where the processing is based on your consent, the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before such withdrawal. Please however note that in case such processing is also based on other legal basis like our legitimate interest or legal obligation or contractual performance or a necessity for entering into contract, and such legal basis continues to hold good, the processing will be continued despite such withdrawal of the consent.
  • A right to lodge a complaint with a supervisory authority in accordance with the GDPR;

Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which processing is based on necessity for the purposes of legitimate interests pursued by us or third party, including profiling. Upon such exercise of your right, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds: (a) for the processing which override your interests, rights and freedoms or (b) for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to this use, we will stop using your information for direct marketing purposes.
If you exercise any of the aforesaid rights, in most instances, we will respond within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons.However, where we have reasonable doubts concerning your identity, we may request the provisions of additional information necessary to confirm your identity. Ordinarily, we will not charge a fee for the exercise by you of any rights as above. However, we may charge a reasonable fee if your request for access is found to be excessive or unfounded. Alternatively, we may refuse to comply with the request in such circumstances.
If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.

Links to Other Websites

From time to time, our website may contain links to and from websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy notices and that we do not accept any responsibility or liability for any such notices. Please check these notices, where available, before you submit any personal data to these websites


If you are a parent of a child under 16 (or such age as applicable for GDPR purposes in the respective EU Member States), you give your consent or authorise the consent if you wish your child to access HDFC Bank Services.

In How to contact us

If you have any questions about how your personal data is gathered, stored, shared or used, or if you wish to exercise any of your information rights, please contact our Privacy Contact at
Phone Banking: +91 22 67606161

Changes to this notice

We will update this Data Privacy Notice from time to time. Any changes will be communicated to you and made available on this page and, where appropriate, notified to you by SMS, e-mail or when you log onto website or start one of our mobile apps.
Dated: 12th June 2018