BMO Financial Group appreciates the opportunity to help you meet your financial needs. From the day Bank of Montreal was founded in 1817, earning and keeping your trust has been at the very core of our business. We are committed to respecting and protecting your Personal Data. It is important for you to understand what Personal Data we will collect, how we will use it and who may see it.
We have strict policies and procedures governing how we deal with your Personal Data. Every employee is responsible for respecting and protecting the Personal Data that they have access to.
Our Data Protection Officer oversees how we deal with your Personal Data. Please see below for information on how to reach our Data Protection Officer.
When we collect your Personal Data, we may use or disclose it for the following purposes. Below each purpose, we note the lawful basis that allows that use of your Personal Data. There is often more than one lawful basis for each purpose. Annex B provides further detail on the scope of the lawful bases.
We may monitor calls and transactions to ensure service quality, to comply with law and regulation and our internal procedures and to combat fraud and other criminal activity.
If a new purpose for using your Personal Data develops, we will update this policy to identify that purpose.
Some of our processing is permitted by legal bases other than consent (see Identifying Purposes above). In relation to Direct Marketing, where we must do so, we will obtain your consent before using your Personal Data for this purpose. If you do not want to receive our Direct Marketing communications and/or do not want your Personal Data shared among relevant members of BMO Financial Group in Europe for the purpose of marketing, you can have your name deleted from our Direct Marketing and/or shared information lists. If you want to change your privacy preferences, please contact the BMO Financial Group company that you do business with or using the unsubscribe link provided in any of our electronic marketing communications.
In relation to the processing of criminal convictions data and politically exposed persons data and to the extent another ground cannot be applied, we rely on your consent. Such consent is necessary for us to provide our services and should you withdraw such consent we may have to stop providing certain services to you.
We only collect the Personal Data that we determine we need for one (or more) of the purposes set out in Principle 2.
For example, we may collect:
We will only use or disclose your Personal Data for the purpose(s) it was collected for and as otherwise identified in this Privacy Code.
Sharing outside the BMO Financial Group: Personal Data may be provided to third parties, including regulatory or law enforcement authorities, court services, and anti-fraud organisations:
Unless prohibited by law, we can give you details of any such third party disclosures upon request.
Sharing within the BMO Financial Group: we may share your Personal Data within the BMO Financial Group, including locations outside of the European Economic Area (EEA) for marketing purposes, for legal and regulatory purposes, to manage business risks, to perform analytics, to ensure we have correct or up-to-date information about you (such as your current address or date of birth) and to better manage your relationship with us.
Business sale or re-organisation: over time, we may buy new business or sell some of our business. Personal data associated with any accounts, products or services of the business being sold will be reviewed as part of the due diligence process and subsequently transferred as a business asset to the new business owner. We may also transfer Personal Data as part of a corporate re-organisation or other change in corporate control.
Sub-contractors and agents: we may use affiliates or other companies to provide services on our behalf or to enable us to offer and provide our products and services to you, such as data processing, account administration, fraud prevention and detection, analytics and marketing. We will only give these companies the Personal Data needed to perform those services. We do not authorise them to use or disclose your Personal Data for their own marketing or other purposes. We have contracts that hold these companies to the same standards of confidentiality and information security that govern us.
Transfers outside the EEA: your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored in a country outside the EEA, in which data protection laws may be of a lower standard than within the EEA. Regardless of location, we will impose the same data protection safeguards that we use inside the EEA.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws (see the full list here) and therefore no additional safeguards are required to export Personal Data to these jurisdictions. In countries which have not been approved, we will establish a legal basis to justify transferring Personal Information, such as contractual terms approved by the European Commission that impose equivalent data protection obligations directly on the recipient.
Please Contact Us if you would like to see a copy of the specific safeguards applied to the export of your Personal Data.
Our retention periods for personal data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (we may further retain and use the anonymised information) or securely destroy the data.
We are committed to keeping your Personal Data accurate, complete and up-to-date. If you discover inaccuracies in our records, or your Personal Data changes, please notify the BMO Financial Group company that you do business with immediately so that we can make the necessary changes. Failure to notify us of changes to your Personal Data may negatively impact the way we communicate or provide services to you. Where appropriate, we will advise others of any material amendments to your Personal Data that we may have released to them. If we do not agree to make your requested amendments, you may challenge our decision as described in the Contact Us table below.
We use an extensive range of safeguards to protect your Personal Data.
We have agreements and controls in place with third party service providers requiring them to safeguard any Personal Data we provide to them and use the Personal Data only for the purpose of providing the service we have requested them to perform.
From time to time, we may make changes to this Privacy Code. Where we have your email address, we may email you if the changes are material. Otherwise, we will not. We therefore recommend that you check the Code from time to time.
Please see Contact Us to answer any questions you may have about our Privacy Code.
The BMO Financial Group company that you correspond with will usually determine the purpose of processing your Personal Data and the way in which it is processed. Sometimes the company will do it jointly with others, depending on the products and services you use. Data protection contact details of these companies can be found in the Contact Us section.
Personal Data must be processed in line with your rights as a Data Protection Officer. In the EU, Data Subjects generally have the rights listed below. However, these are subject to certain exceptions and variations in different EU member states. If in doubt, please contact the Data Protection Officer Officer.
Data Subjects can:
Subject access: be provided access to a copy of any Personal Data held about them.
Rectification: require inaccurate Personal Information be amended.
Erasure: require erasure of Personal Data in certain circumstances. Where the data has been disclosed to third parties for processing, Data Subjects can require us to take reasonable steps to inform them that they have requested its erasure of any links to copies of or replication of it.
Withdrawal of consent: withdraw any consent to processing that they have given us and prevent further processing if there is no other ground under which we can process their Personal Data.
Restriction: require certain Personal Data to be marked as restricted while complaints are resolved, and also restrict processing in certain other circumstances.
Portability: have their Personal Data transmitted in a commonly used machine-readable format to them or another company that determines the purposes and means for which Personal Data is processed.
Prevent processing: require us to stop any Personal Data processing based on the legitimate interests ground, unless our reasons for undertaking that processing outweigh any prejudice to their data protection rights.
Marketing: require us to prevent processing (including profiling) of Personal Data for direct marketing purposes.
Your exercise of these rights is subject to certain exemptions under EU or local law, such as exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and will aim to respond within a month.
If you are not satisfied with our use of your personal information or our response to any exercise of these rights, you can complain to the relevant Data Protection Regulator.
If your complaint remains unresolved after speaking to a representative of the BMO Financial Group entity that you deal with, please contact the Data Protection Officer at:
BMO Financial Group
Office of the Data Protection Officer
95 Queen Victoria Street
London, EC4V 4HG.
If, after contacting us, you do not feel that we have adequately addressed your concerns, please contact the Data Protection Regulator in the country where the BMO Financial Group entity that you deal with is established, as set out in the chart above.
Our emails may contain a single, campaign-unique “web beacon pixel” to tell us whether our emails are opened and, combined with other technology, verify any clicks through to links within the email. We may use this information for determining which of our emails are more interesting to you and to query whether users who do not open our emails wish to continue receiving them. The pixel will be deleted when you delete the email. If you do not wish the pixel to be downloaded to your device, please select to receive emails from us in plain text rather than HTML, choose not to click links that we send you, or unsubscribe from the receipt of our emails. This information may be connected to your personal identity.
What are cookies?
Cookies are small text files that are stored on your device when you visit certain web pages. They provide us with valuable information and feedback, such as how and when pages on the website are visited, and what our users’ technology preferences are.
The cookies that we use on our website can be categorised into the following groups:
By using our website, you agree that we can place these types of cookies from us and third parties (such as Google Analytics, Hotjar and Flashtalking) on your device.
Amending cookie preferences
Click here for further information about cookies in general and instructions for managing cookies on many commonly used browsers. Alternatively, you can consult your browser provider for such instructions.
|Country||Business Unit Contact||Data Protection Regulator Contact|
|UK||Client Services +44(0)20 7011 4444||Information Commissioner’s Office 0303 123 1113|
|Austria||Rogier Van Harten +31 20 582 3795||Austrian Data Protection Authority E-Mail: firstname.lastname@example.org|
|Belgium||Rogier Van Harten +31 20 582 3795||Commission for the Protection of Privacy +32 (0)2 274 48 00|
|Finland||Robert Elfström +46 (0) 856646501||Data Protection Ombudsman +358 29 56 66700|
|France||Jean Michel Bongiorno +44 207 011 5233||Commission Nationale de l'Informatique et des Libertés +33 (0)220.127.116.11.22|
|Germany||Elmar Rathmayr +49 69 22228 3613||The Hessian Data Protection Officer PO Box 3163 65021 Wiesbaden +49 611 1408 – 0 https://datenschutz.hessen.de/uber-uns/kontakt|
|Ireland||State Street Fund Services (Ireland) Limited +353 1 242 5529||Office of the Data Protection Commissioner +353 (0761) 104 800|
|Italy||Giampaolo Giannelli +39 020068 1619||Italian data protection authority +39-06-6967 71|
|Luxembourg||State Street Bank Luxembourg S.A +352 46 40 10 7460||National Commission for Data Protection (+352) 26 10 60 - 1|
|Norway||Robert Elfström +46 (0) 856646501||Data Protection Authority|
|Spain||Luis Martin-Hoyos +34 91 419 89 01||Spanish Data Protection Agency (AEPD) Spanish Agency for Data Protection C / Jorge Juan, 6 28001-Madrid|
|Sweden||Robert Elfström +46 (0) 856646501||Data Inspection Board (DIB) +46 8 657 61 00|
|Switzerland||Rochus Appert +41 44 488 1951||Federal Data Protection and Information Commissioner (FDPIC) +41 (0) 58 462 43 95|
|Portugal||Joao Santos +351 21 003 3220||Comissão Nacional de Protecção de Dados (CNPD) (+ 351) 21 392 84 00|
|Netherlands||Marco Mante de Vreede +31 20 582 3074||The Dutch Data Protection Authority 0900 200 12 01|
|Country||Business Unit Contact||Data Protection Regulator Contact|
|UK||Business Unit Compliance Officer email@example.com +44 (0) 20 7495 4641||Information Commissioner’s Office 0303 123 1113|
|Country||Business Unit Contact||Data Protection Regulator Contact|
|UK||Angus Henderson +44 207 499 2244||Information Commissioner’s Office 0303 123 1113|
|Germany||Robert Gauggel +49 (0) 89 614 651 - 11||The Bavarian State Commissioner for Data Protection (BayLfD) 0981 / 53-1300|
|France||Ian Kelley/Adrien Brion +33 01 70395992/+33 01 70395993||Commission Nationale de l'Informatique et des Libertés +33 (0)18.104.22.168.22|
|Ireland||BMO Real Estate Partners firstname.lastname@example.org||Office of the Data Protection Commissioner +353 (0761) 104 800|
|Gibraltar||BMO Real Estate Partners email@example.com||Gibraltar Regulatory Authority (+350) 20074636|
BMO Financial Group means Bank of Montreal and all of its subsidiaries
Data Subject the person to whom the Personal Data relates. A BMO Financial Group entity established in the EEA determines the purposes and means for which this person’s Personal Data is processed.
Direct Marketing is our communication with you such as mail, telemarketing or email, using your contact information, to inform you about products and services that we think may be of interest and value to you. This does not include communications regarding products or services that you currently have, including improved ways to use the products, or additional features of the products as well as transactional information.
EEA means the European Economic Union
Personal Data is any information relating to an identified or identifiable Data Subject, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For the purposes of this Privacy Code, Personal Data is that which a BMO Financial Group entity established in the EEA processes.