Electronic purchasing card (ePC) policy

10. GDPR

10.1 In accordance with UKGDPR, we recommend that when providing information for the SDoL system that you provide your work address, email and phone number.

10.2 In exceptional circumstances, and where there is no alternative, you may be asked to provide personal details to receive a card. Please only send that information to iFIX or ePC mailbox. (For example, where you are unable to access the office to receive your card and your home address is required to have your card sent there. This allows RBS to send you your card to your home address, they do not use the information for any other purpose).

10.3 The ePC mailbox is restricted to a small number of staff. On receipt of personal information to be uploaded to (SDoL), the email is deleted once the information has been uploaded to your profile on the system.

10.4 SDoL is password protected. You can see what details are being held about you on the 'account maintenance' section of the system. Only card holders and administrators can view this data, your card approvers and card controllers will not be able to access this data.

10.5 Applications are saved to eRDM and are kept for as long as is set out on the agreed SG retention policy and any applications sent through iFIX will also be stored for a maximum of 3 years as per ITECs data retention policy.

10.6 On receipt of a card cancellation form the application and financial information form is deleted from ePC eRDM folders but will remain as per 10.5 above.

10.7 RBS retention policy is to keep electronic applications for 7 years.