Customer Fair processing notice

In the course of our relationship with you or the firm you are associated with, we may receive personal data relating to identified or identifiable individuals, including but not limited to your employees, authorised representatives, directors, shareholders, ultimate beneficial owners, guarantors and beneficiaries. In this notice, we refer to this information as "personal data", which is any information relating to such individuals.

This notice sets out the basis on which we will process this personal data. Please read this notice carefully to understand our practices regarding personal data and how we will use it, your rights in relation to personal data and how to contact us or the supervisory authority in the event of a complaint.

About us

FirstRand Bank Limited (London Branch) is the UK branch of FirstRand Bank Limited, acting through its Rand Merchant Bank division (herein referred to as “RMB” throughout the rest of this notice), which is incorporated under the laws of South Africa.

FirstRand Securities Limited is an authorised entity which is incorporated in England and Wales. This entity is regulated by the Financial Conduct Authority (herein referred to as “FCA” for the rest of this notice) to conduct certain regulated activities in the UK.

Both entities, FirstRand Bank Limited (London Branch) & FirstRand Securities are collectively, herein referred to us as “FRUK”, “we”, “us” or “our” throughout the rest of this notice.

Our UK registered address is at The Broadgate Tower, 20 Primrose St, London EC2A 2EW.

We are registered as a data controller with the UK Information Commissioner’s Office as follows:

FirstRand Bank Limited (London Branch): registration number Z1384125.

FirstRand Securities Limited: registration number ZA369607

Contact us

If you have any queries concerning this notice or our data processing practices, please contact our Data Protection Officer by email a. You can also write to us using our registered UK address, as set out above.

Information we collect

We collect personal data as necessary to:

• enter into a relationship with the firm you are associated;
• enable us to provide our services and carry out your instructions;
• manage and operate our business; and
• comply with our legal and regulatory obligations.

The personal data that we collect in the course of our relationship with the firm you are associated may include, but is not limited to, the following:

• Basic ID information, including your name, gender, date of birth and specimen signature;
• Contact details, including telephone number(s), email address, home and business address;
• KYC information, including copies of passport, national identity card, driving licence, utility bills, adverse news reports, bank statements and similar documents, immigration status and work permits, source of wealth, relationships with public officials and criminal record;
• Professional information, including business and professional qualifications and experience, information relating to our business relationship, such as the services we provide you;
• Marketing information, including spouse name, sector focus, preferences; and
• Communications and IT information, information we obtain from our IT and communications monitoring, including telephone recordings.

This personal data is required to enable us to provide our services to the firm you are associated. If you or the relevant individuals do not provide the personal data we ask for, it may delay or prevent us from providing services to you.

You confirm that you are authorised to provide to us the personal data which we shall process on your behalf.

Where the personal data relates to employees, authorised representatives, directors, shareholders, ultimate beneficial owners, guarantors or beneficiaries of the firm you are associated, it may not be reasonably practicable for us to provide to them the information set out in this notice. Accordingly, where appropriate you are responsible for providing this information to any such person.

How personal data is collected

We will collect most of the personal data referred to above directly.

However, we may also collect certain personal data from the following third parties:

• customer due diligence and business information providers (such as World Check);
• KYC and document management data platforms (such as Debt Domain);
• consultants and other business contacts involved in your matter;
• other financial institutions;
• publicly accessible sources, such as Companies House or the international equivalent thereof; and
• social media networks, such as LinkedIn.

How we use the information we collect about you

As a data controller, we will only use your personal data if we have a legal basis for doing so. The purposes for which we use and process your information and the legal basis on which we carry out each type of processing are explained in the table below.

Categories of information	Purposes for which we will process the information	Legal Basis for the processing
Basic ID information, KYC information	Prior to providing our services, we need to carry out Customer Due Diligence (“CDD”) checks on the firm with which you are associated. For the prevention and detection of fraud and other crimes on an ongoing basis.	Compliance with a legal obligation. Compliance with a legal obligation.
Basic ID information, contact details, professional information	To provide the firm with which you are associated with the services you have requested. To investigate and respond to a complaint. For referral purposes.	It is in our and your legitimate interests that we process your personal data in order for us to be able to provide our services. It is in our legitimate interests to investigate and respond to complaints in order to maintain good customer relations. It is in our and your legitimate interests that we refer you or the firm you are associated to our business contacts in certain circumstances.
Professional information, KYC information	To carry out associated administration, accounting and reporting in connection with your matters.	Compliance with a legal obligation.
Professional information, communications and IT information	For operational reasons, such as improving efficiency, training and quality control, systems testing and network monitoring. To prevent unauthorised access and modifications to our systems. To comply with regulatory requirements. To comply with our internal business policies. To record telephone calls	It is in our legitimate interests to be as efficient as we can so we deliver the best service for you. It is in our legitimate interests to prevent and detect criminal activity that could be damaging to our and your business. Compliance with a legal obligation. It is in our legitimate interests to adhere to our own internal procedures so that we can deliver an efficient service to you. Compliance with a legal obligation.
Contact details, KYC information, professional information	For updating customer records.	To comply with our legal and regulatory obligations.
Contact details, professional information, marketing information	For marketing our services, including sending you customer alerts and newsletters and inviting you to events or other functions which we believe may be of interest to you. To request feedback on the performance of our services.	It is in our legitimate interests to market our services to develop and grow our business.  It is in our legitimate interests to obtain feedback as to our performance so that we can improve upon this.
Contact details, professional information	Sharing your details with third parties so you can be kept up to date with business information, including relating to potential and actual investor information.	It is in our and your legitimate interests for your information to be shared in this way so you are up to date with the latest business information.

Data retention and storage

All personal data you provide to us, or which we obtain from third parties, will be stored on our secure servers (or those of third parties or contractors we engage to help us run our business).  We will keep information no longer than we need to for the purpose for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, legal and regulatory requirements, the purpose for which the information was obtained, and our business needs.

Who we share your data with

Where necessary for the purposes outlined above, we may share information about you with international FirstRand Group entities, including in South Africa and other countries outside the UK and EEA.

We may also share your personal data with the following third parties:

• professional advisers and third parties in accordance with your instructions;
• our insurers, brokers or advisers, auditors, lawyers or risk managers who we or they may appoint;
• third parties to whom we transfer our rights under your firm’s agreement with us;
• third party processors, service providers, representatives and agents that we use to make our business more efficient, such as IT service providers, CDD service providers, or analytics providers;
• regulators, courts, public authorities (including tax authorities), to the extent we are required to do so under applicable law or if necessary to establish, exercise or defend legal claims; and
• potential purchasers of elements of our business or investors in our business

International transfers

Pursuant to the above, personal data may be transferred to recipients located in countries outside the UK and European Economic Area including the different countries in which FirstRand Group entities are located which may not provide the same standard of data protection laws as the UK.

Where personal data is transferred to and stored in a country not determined by the UK or European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including entering into standard contractual clauses approved by the UK or the European Commission, obliging recipients to protect your personal data.

Where personal data is transferred outside the UK or Europe to a country not covered by a data protection adequacy determination, we will carry out a transfer risk assessment in that jurisdiction prior to any transfer of personal data in addition to signing an International Data Transfer Agreement (IDTA) with any affiliate in receipt of your personal data.

If you would like further information on the specific mechanism used by us when transferring your personal data outside of the UK or the EEA, please contact us using the contact details set out in the “Contact Us” section above.

Your rights

You have the following rights (subject to certain statutory exemptions):

• to be informed about the processing of your personal data (this is what this statement sets out to do);
• to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed;
• to object to processing of your personal data where we are processing it on the lawful basis of legitimate interests or for direct marketing purposes;
• to withdraw your consent to processing your personal data;
• to restrict processing of your personal data;
• to have your personal data erased;
• to request access to your personal data and information about how we process it; and
• to move, copy or transfer your personal data (“data portability”).

To exercise any of these rights, please write to your usual contact at FRUK or the Data Protection Officer via the contact details given in the “Contact Us” section above.

If you are unhappy about how your personal data has been used, you can contact us using the details above. You also have a right to complain to your local data protection supervisory authority. If you are in the UK, the relevant supervisory authority is the Information Commissioner's Office (https://ico.org.uk).

Changes to this notice

We may update this privacy notice from time to time and you can always access the current version at the following RMB website address: www.rmb.co.uk/page/customer-fair-processing-notice.

This notice was last updated on March 2026.