GDPR Question

How has Monzo adapted its app to be compliant with GDPR?

The categorisation of spend looks to include “personal” is that not a special category?

What tracking can I turn off in the app?

Everything the app needs to work is opt-in through permissions in-app. You can turn these on and off through your OS settings, however, most of these will be used for the app to function as intended.

The personal category is for things you’d categorise as personal transactions to yourself. So, gym membership, dentist check up, prescription charges etc.


I thought that was where I put toothpaste & shampoo etc.


Ok, do I actually categorise the personal transactions myself.

How do I raise a Subject access request for right of access?

You have a right to:
Access the personal data we hold about you, or to get a copy of it.
Make us correct inaccurate data.
Ask us to delete, ‘block’ or suppress your data, though for legal reasons we might not always be able to do it.
Object to us using your data for direct marketing and in certain circumstances ‘legitimate interests’, research and statistical reasons.
Withdraw any consent you’ve previously given us.
To do so, please contact us through the app or by emailing

That’s not really how GDPR works. It’s not about giving you a ‘personal’ category for your spending.

Your name is your data which could identify you. So is your address. So is your facial image. So is your bank card number.

Basically, Monzo (or any bank account, or shop transaction) can’t work without them collecting, storing, processing and passing on some personal data, so you give them that permission when you agree to the Terms and Conditions by opening a bank account. You give shops permission to do the same when you buy something.


I am aware.

But if there is a transaction where I purchased something at a church or to do with my religious beliefs, that becomes a special category.

Under ICO;
special category data is more sensitive, and so needs more protection. For example, information about an individual’s:

ethnic origin;
trade union membership;
biometrics (where used for ID purposes);
sex life; or
sexual orientation.

So how does Monzo categorise these transactions. Would they fall under the personal pot or something different? I assume they unable to do any categorisation around them without my consent?

I imagine it would be general or shopping. Boots chemist is personal care, Superdrug is personal care, gyms are personal care, church sales not so much

Well as Monzo already process your biometrics I’d imagine they simply process all your data at the same, higher category of protection.

It’s a bank, their security systems and processes will already probably be some of the most robust you’ll ever rely on for anything.


That’s not quite how it works.

Merchants have to create contracts with Visa/Mastercard/AMEX etc. Part of the contract is to to tell the merchant network (like MasterCard) what sort of transaction it is. That sort of detail includes payment amount, auth codes, merchant name, location, category etc. Whenever you use your debit or credit card, the merchant network receives all this information.

By using a debit or credit card provisioned my Visa, Mastercard etc, you already consent to that data being used. If you prefer not to, you can simply not use their service, and use cash instead.

The debit/credit card is inadvertently linked to the bank. And when a bank is deciding to authorise a payment or not, it may take into consideration the merchant category code (and therefore needs to know it)


In my limited understanding I think that this is missing the point of GDPR entirely which deals with protection of your personal data.

The required consent is nothing at all to do with how your bank categorises your purchases, but more about whether they can use your name, address and purchase history for other purposes. Which they can’t without permission and (I firmly believe) Monzo won’t anyway.

You appear to be asking questions in an area that is simply unrelated to the legislation.


I would have thought that, whilst pertinent for maybe sending you marketing emails, Consent is not the main legal basis for Monzo processing your data. I’d have thought Contract, Legitimate Interests and Legal Obligation are more appropriate bases.

You can’t expect to open a bank account and withdraw consent.


Why not? Close your account, and they are required to stop processing your data up to what the AML laws require (so they will keep some of your data as archives, but you could have a point that this data should be kept in a separate system).

The point is Consent is not an appropriate basis for running a bank account. Contract seems more appropriate as both parties enter into a contract with one another.

Of the legal bases, Consent is the most narrowly defined so a lot of companies use another, more appropriate basis.

Of course, terminating a contract is akin to withdrawing consent for Monzo to provide you with banking services, but as you know, under money laundering legislation you wouldn’t be able to withdraw your consent for all of your data to be processed, because some data is required to be kept after your contract with Monzo ends.

1 Like

The spending categories you see in the app have absolutely nothing (in my knowledge) to do with how Monzo treats your data. Their sole purpose is to give you spending insights. Monzo tries to determine the appropriate category via the Merchant Category Code, which is passed on by Mastercard when you use your debit card at a point of sale.


This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.