This privacy notice ‘Privacy Notice’ describes the ways in which we collect and use your data when you apply for a role with us or otherwise engage with us about a vacancy.  

In this Privacy Notice, “we” "us" and “our” refers to Tesco Personal Finance plc, trading as Tesco Bank and part of the Tesco Group. For the purposes of the personal data protection laws, we are responsible for the personal data about you that we collect and use.

Your personal data: how we collect, use, and protect it

It is very important to us that when you give us your personal data, you trust us to handle it responsibly. We have written this document to explain clearly how we collect, use and protect your personal data. In particular, it explains things like:

  • why we need your personal data for certain things
  • how we share your personal data with others
  • your rights under data protection laws

What the law says about handling personal data

The personal data protection laws control how we use your personal data, for example, we must be transparent about how we collect and use your personal data. They also grant you rights, such as the right to access the personal data that we hold about you (see section ‘Your Rights’).

What sort of data do Tesco Bank collect from you?

What the law says about processing

The law requires us to tell you how we process your personal data. “Processing” is a legal term that means anything we do with your personal data, such as collecting, gathering, obtaining, administering, adapting, keeping and deleting your personal data.

We collect and keep data about you

This includes the personal data you give to us via the Tesco Bank Recruitment Portal or over the phone when you apply for a vacancy and throughout the application journey (this includes personal data you may store in the ‘save and retrieve’ function before you submit an application). It also includes personal data you give us any time you write to us or contact us electronically.  

We collect the following personal data from you as part of the recruitment process:

  • basic details about you such as your name, email address, postal address and contact telephone number
  • your CV if you provide one to us
  • your qualifications (academic and professional)
  • details about current and previous employment (including whether you are an existing or previous employee of Tesco Bank or another part of the Tesco Group) and your current salary and benefits
  • details about your right to work in the UK (such as your Eligibility to work in UK (self-certification), your Visa status and Work Authorisation.

If you decide to complete the voluntary diversity self-declaration, we will also collect information about your gender, ethnicity, marital status and any disabilities.

We may also gather other data about you

We may also obtain and combine data about you from other places, such as the wider Tesco Group (for example if you move from another part of the Tesco Group), credit reference agencies, financial crime prevention agencies and publicly available resources, such as the electoral register and the internet.

We do this so we can make sure the personal data we hold about you is accurate, to perform checks, and make you an offer of employment.  

If you are being considered for a role, we will carry out certain pre-employment screening checks (self-certification), including  adverse financial information,  criminal records,  dismissals or disciplinaries in last five years or six years if you are applying for a role covered by the Senior Manager and Certification Regime.

More information about the times we collect personal data about you

When you call us we monitor and record calls to and from our customer service centres to improve our service and to prevent and detect fraud.
When you contact us electronically (for example by email or Internet), we may collect an electronic identifier, such as your internet protocol address.
When you visit our website we collect data about your browsing habits using cookies.  For more information about how we use cookies, please see below.

We will only ask for necessary personal data unless we tell you otherwise

We will ask for personal data that is essential for us to know so that we can process your application. If we ask for personal data that is not essential, we will explain why and tell you the consequences if you do not provide us with the personal data.

How does Tesco Bank use your personal data?

We use your personal data to process your application

We will need to use this personal data at all stages of our relationship with you, including:

  • when you apply for a role
  • during the application process
  • to assess candidates’ suitability for a role and selection for interview

You may be contacted by telephone or email to check, confirm or clarify any of the data that you have provided.  Successful applicants who are offered a role are subject to pre-employment screening checks.

We also use your personal data for other ‘legitimate business interests'

These are other uses allowed by law which are necessary to enable us to progress your application. These include:

  • detecting and preventing fraud, other forms of financial crime, and other unlawful acts (see fraud prevention section below)
  • managing and operating our business
  • improving our business (see below)

We may use your personal data to improve our business

The law allows us to use your personal data in reasonable ways to help us improve our business.

The ways we might use your personal data to improve our business are to:

  • understand applicants’ needs and requirements
  • carry out research and analysis
  • to improve our colleague proposition.

When we use your personal data to improve our business, we always make sure we keep the amount of data we collect and use to an absolute minimum.

We will not use your personal data to send you marketing information.

Who do we share your personal data with?

We will only share your personal data

  • where we have your permission
  • where the law says we must
  • where sharing the personal data meets the requirements of the data protection laws

Whenever we share data, we only share the amount necessary to achieve the objective of the sharing.

We will only share your personal data with these people:

  • with regulatory bodies and authorities
  • with credit reference agencies
  • with fraud and other financial crime prevention agencies
  • recruitment agents in connection with applications they have placed with us on your behalf
  • with our service providers (IT service providers).

Fraud Prevention

We will use your data to make checks with national fraud databases

We will share your data with the “Cifas” fraud prevention service to check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff. “Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other relevant conduct and to verify your identity.

Details of the personal information that will be processed include: name, address, date of birth, any maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.

We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us.

Cifas will hold your personal data for up to six years if you are considered to pose a fraud or Relevant Conduct risk.

What this means for you

Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your engagement with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).

A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided.

Data Transfers

Should Cifas decide to transfer your personal data outside of the European Economic Area, they will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

How we handle sensitive personal data

When we need to use sensitive personal data

Sometimes we will ask you for sensitive personal data (for example diversity, adverse financial and criminal record information, but only if you decide to complete the optional diversity questionnaire).  If required, to comply with data protection laws, we will ask for your explicit consent to use this data (data protection laws call this ‘special category data’ or 'sensitive personal data').

How we handle data about special circumstances

We handle data about any special circumstances as carefully and confidentially as any other data we hold about you. This includes data about things you tell us so that we are able to provide you with additional assistance (for example if you are hard of hearing) and also information that laws or regulations say we must record (for example, if any underlying medical condition has led to you appointing a Power of Attorney).

How we use your personal data to contact you

We will contact you in a variety of different ways

We may contact you by phone/post/email and SMS. If you have given us an email address or mobile number, we might also use these to contact you about your application (for example, to keep you updated about how your application is going).

We keep confidential data to a minimum via email and text

This is because emails and texts are less secure. (You should never send us any confidential data via email or text).

Sending your personal data to other countries

We will only send your personal data outside the EEA if we know it will be well protected

Sometimes we might send your personal data to another country if, for example, our service provider has a data centre overseas.

All countries within the EEA have broadly the same data protection laws. Before sending your personal data outside the EEA, we check that the recipient will be able to keep your personal data secure and that:

  • the EU Commission confirms that the recipient is established in a country which offers essentially equivalent protection to that provided within the EEA; or
  • it is to a private US company that has self-certified with the Privacy Shield

If neither of these apply, then we ask the recipient to sign the EU Commission’s ‘model contract’. This means they must meet EU standards of data protection.

When your personal data is in another country, it may be accessed by law enforcement agencies in those countries. They do this to detect and prevent crime, or because the law says they must.

For more information about sending your personal data overseas, you can write to: The Data Protection Officer, Tesco Bank, EHQ, 2 South Gyle Crescent, Edinburgh, EH12 9FQ

How long do we keep your personal data for?

If your application is successful, your data will be retained in order to offer you an employment package and thereafter, for the purposes of your employment with us.  You will be provided with further privacy policy when joining, setting out how we process your data as part of your employment, including how long we keep your data for.  

If your application is unsuccessful, we will retain your data for 2 years as a potential talent pool.  We will use this to notify you about potential future opportunities.  If you do not wish us to retain your data for this purpose, you can remove your candidate information from Tesco Bank Recruitment Portal.

What happens if we change how we use your personal data?

We will contact you if there are any important changes to how we use your personal data

If we think it’s a change you would not expect, we will let you know.

Some changes might need your consent, or need you to opt out

If this is the case, we will always wait until you have let us know your decision before making any changes to the way that we use your personal data.

Your rights

You have the right to know what data we hold about you

this is called your ‘data subject access rights’.

The law says that you are entitled to see what data we hold about you.

If you ask us for this, we will send you a copy of the requested personal data we hold about you. (There are a few exceptions to this, such as access to personal data about third parties).   

If you want a copy of your personal data, please write to:

The People Advisory Partner
The People Team
Tesco Bank
199 Renfield Street
G2 3AX

You can also email us at

We will respond to your request within one month.
We may get in touch sooner if we need extra information to help us find your personal data, or to verify your identity.

You have the right to have the personal data you have provided to us supplied to you in an easily transferable digital format.

This is known as the ‘right to data portability’.
This means you can ask us to send your personal data in this format to you, or to another organisation (for example, another bank or insurer).

You have the right to change or amend your personal data

If you think any of the personal data we hold about you is incorrect or incomplete, let us know and we will change it.

You have the right to stop us using, restrict us using, or request that we erase the personal data we hold about you

If you want us to stop using, or restrict our use of, your personal data, or you want us to erase it entirely, please let us know. There are times when we may not be able to do this – for example, if the information is related to an existing or recently expired contract between you and us, or if the law says we need to keep your personal data for a certain amount of time.

You have the right to withdraw your consent at any time

Sometimes we need your consent to process your personal data. If you have given consent, you can change your mind and withdraw it. To do this, get in touch by using the relevant contact details from our website.

However, we do not always need your consent to use your personal data.  There is some information this doesn’t apply to. For instance;

  • the information that it’s necessary we have in order to run our business (known as the "legitimate interests" condition), or
  • the information the law says we must collect and use

Contact us for more information about how we handle your personal data

If you have concerns about how we handle your personal data, or just want more details, please call us (see contact us section on our website) or write to the address below. We will try and sort things out as quickly as we can. Please write to:  

The Data Protection Officer
Tesco Bank
EHQ, 2 South Gyle Crescent
EH12 9FQ

For more data about your rights, visit the Information Commissioner’s Office website

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights, and promote data privacy for individuals. Their website is

If you have a complaint or concern about how we have handled your personal data and we have not been able to sort it out to your satisfaction, you have the right to lodge a complaint with the ICO.


In order to comply with new rules, we use a system of classifying the different types of cookies which we use on the Website, or which may be dropped by third parties through our websites. The classification was developed by the International Chamber of Commerce UK and explains more about which cookies we use, why we use them, and the functionality you will lose if you decide you don't want to have them on your device.

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.

Persistent cookies - these cookies remain on a user's device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.

Session cookies - these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.

You can find more information about cookies at and

Cookies used on the Website

A list of all the cookies used on the Website by category is set out below.

Strictly necessary cookies

These cookies enable services you have specifically asked for. For those types of cookies that are strictly necessary, no consent is required.

These cookies are essential in order to enable you to move around the Website and use its features, such as accessing secure areas of the Website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Performance cookies

These cookies collect anonymous information on the pages visited. By using the Website, you agree that we can place these types of cookies on your device.

These cookies collect information about how visitors use the Website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the Website works.

Functionality cookies

These cookies remember choices you make to improve your experience. By using the Website, you agree that we can place these types of cookies on your device.
These cookies allow the Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Using browser settings to manage cookies

The Help menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also disable or delete similar data used by browser add-ons, such as Flash cookies, by changing the add-on's settings or visiting the website of its manufacturer.

However, because cookies allow you to take advantage of some of the Website's essential features, we recommend you leave them turned on.

This is a list of the main cookies set by the Website, and what each is used for:

Cookie name

Cookie use

Cookie duration




Metrics: Google

2 years uses Google Analytics, a web analytics service provided by Google, Inc ("Google"). Google Analytics sets a cookie in order to evaluate your use of the website and compile reports on user activity. Google stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. By using the Website you consent to the processing of data about you by Google in the manner and for the purposes set out above.


Metrics: Google

30 mins


Metrics: Google



Metrics: Google

6 months







Metrics: Gaia Insight

30 mins

We use Gaia Insight to enable us to understand how visitors interact with the Website particularly the paths visitors take through the site. This data is used to help understand how visitors interact with the site and the way in which they navigate through it. Your IP address and other personally identifiable data is not associated with any other data held by Gaia Insight.










Metrics: Crazy Egg

5 years

We use Crazy Egg to see how visitors interact with areas of a page. No personally identifiable data is captured during this process.










Metrics: Tesco

25 years

This cookie is used to identify users that have accepted the use of cookies on the Website.