Data Privacy Notice

‘We’, ‘our’, ‘us’, ‘Skipton Business Finance’ and ‘SBF’ in this Privacy Notice means Skipton Business Finance Limited. Skipton Business Finance Limited is a controller, responsible for the protection of the data it collects about you. 

This Privacy Notice explains the types of personal data we collect, what we do with it, who we share it with, how long we keep it and your rights.

It does not extend to other organisations, such as any external websites you may access from our website. Other organisations will inform you how they use your personal data.

We may collect, use, share and keep the following type of personal data about you:

Name, title, address, contact details (including any previous changes), date of birth and/or age

To:

  • identify you
  • communicate with you
  • manage your relationship with us
  • use for crime and fraud prevention purposes

Business Role (e.g. director, partner, shareholder, sole trader, company secretary)

To:

  • identify you
  • communicate with you
  • manage your relationship with us
  • use for crime and fraud prevention purposes

Account data (including performance information)

To:

  • manage your relationship and accounts with us
  • use for crime and fraud prevention purposes

Criminal convictions, pending convictions bankruptcy/receivership, county court judgements and court records

To:

  • assess the suitability of our accounts and services
  • use for crime and fraud prevention purposes

Information about your computer and your visits to and use of our website

(including your IP/MAC address, geographical location, browser type and version, operating systems, referral source, length of visit, page views, and website navigation)

To:

  • understand your needs and experience with us
  • manage your subscription to our website services
  • improve our systems and website services

The data protection regulations call certain types of sensitive data ‘special category’ data. These include: ethnic or racial origin; health; political opinions; religious or philosophical beliefs; trade union membership; sex life or sexual orientation and genetics or biometrics. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this.  We collect personal data about criminal convictions, (including pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders). This is limited to the minimum required. If we make an adjustment to our service due to a health condition, we will aim to record the adjustment without reference to the health condition unless it is necessary to also record this information to effectively make the adjustment.

We only collect and use special category personal data with your explicit consent, or if we are required to by law, there is an overriding public interest, or where we believe you or someone else may be at risk.

Solicitors, accountants, brokers and other professional advisers

To:

  • provide professional services
  • manage your ongoing relationships
  • administer and manage disputes and / or legal claims

Financial organisations

To:

  • review and assess your suitability and application for products and services
  • manage payments (including the use of payment services involving the transfer of electronic payments into or out of your account) and transactions
  • respond to requests for the postponement of a charge on your property
  • detect and prevent fraud
  • assist with enquiries and investigations

Mailing houses and printers

To provide you with:

  • service information (eg account statements)
  • a range of other communications about our products, services, news and offers

We will only send you marketing material when you have given us your consent.  Upon giving us your consent, you will also be entitled to opt out of any future marketing related communications.

Information Technology service providers

To:

  • provide third party systems, storage, software and application support

Credit reference agencies

To:

  • verify your identity
  • assess your suitability and affordability for accounts and services
  • assess and confirm your credit worthiness

Fraud prevention agencies

To:

  • carry out checks for the purposes of preventing fraud and money laundering
  • verify your identity
  • to assess your suitability for products and services

Law enforcement agencies including police forces, private investigators, security organisations and prosecuting authorities

To:

  • assist with any ongoing investigations relating to the security and / or safety of individuals to detect and prevent crime

Courts and tribunals

To:

  • respond to court and tribunal requests, manage and resolve complaints, disputes and / or legal claims

Ombudsmen and regulatory organisations (e.g. Financial Ombudsman Service, Financial Conduct Authority, Prudential Regulation Authority, Financial Services Compensation Scheme, Information Commissioners Office)

To:

  • provide our regulatory and governing bodies with data about our business
  • assist with enquiries, investigations, complaints and assessments

Trade associations and industry groups

To:

  • assist with enquiries, investigations, complaints and assessments
  • develop industry standards
  • understand and predict trends in customer and financial behaviours

HMRC

To:

  • provide information for tax reporting purposes 
  • assist with enquiries, investigations, complaints and assessments
  • detect and prevent fraud

Central and local government departments and agencies (eg Department of Work and Pensions (DWP), Jobcentre Plus, local councils)

To:

  • confirm payments received and ongoing benefits
  • assist with enquiries, investigations, complaints and assessments

Field agents, debt collection agencies, tracing agents and appointed receivers and trustees in bankruptcy

To:

  • understand your circumstances and financial situation
  • assist in recovering debt
  • locate you when we have been unable to contact you via our usual communication channels
  • meet the law where receivers or trustees in bankruptcy have been appointed to deal with your financial affairs

Research and insight agencies

To:

  • better understand our customers including their experiences, life‐stages, circumstances, needs and responses to current and potential Skipton Business Finance products, services and wider initiatives
  • support a wide range of business decision making such as product development

In addition we use data for profiling and customer segmentation to create a broad understanding of our customers.

This helps shape our communications, products and the overall customer experience including how we handle phone calls and other customer contacts.

Management Consultancy firms

To:

  • gain insights into market trends, consumer behaviour, competitors, technological change
  • help make recommendations into future development and strategy
  • get support with a range of business decisions

Other organisations involved in handling mergers, acquisitions and other corporate transactions

To:

  • enable the sale or purchase of all or part of our business

We will only do this with adequate protection and with a contract in place to protect the security and confidentiality of your information.

External auditors, risk and rating agencies (eg Moodys, Fitch)

To:

  • support a wide range of business decision making such as product development
  • validate reports
  • facilitate the management and audit of business operations
  • assist in meeting our legal obligations

Data modelling and risk organisations

To:

  • understand and predict trends in customer and financial behaviours
  • support a wide range of business decision making including the provision of credit to customers
  • review and validate the accuracy of reports and / or model outputs from other organisations

Skipton Building Society and other affiliates of the Skipton Group

  • internal audit / compliance and financial crime regulatory requirements
  • IT support
  • Executive board requirements
  • Escrow account support

Certain of the suppliers, applications and systems that we use to support the provisions of our services rely upon transfers of data outside the United Kingdom (UK), European Economic Area (EEA) and countries not on an approved list for having adequate data protection laws in place.

When we use third party systems, application support and cloud based providers that are either based outside of or send data outside of the UK or EEA, we will where necessary impose contractual obligations on the recipients to help safeguard your rights in respect of your data.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. 
 

We can only collect, use, share and keep your personal data when we have a lawful basis for doing so. The lawful basis will be different dependant on the relationship you have with us and what we do with your personal data.

To find out more about what the different lawful bases are, what they mean and how they affect you, see below:

Legal obligation

Where we are required by law to collect, use, share or keep personal data we will do so.

As an organisation operating in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators.

Our regulators are the Financial Conduct Authority, Prudential Regulation Authority, and for personal data the Information Commissioner’s Office. If we are unable to meet our legal obligations we will be unable to continue with your application and provide the ongoing management of your accounts, products and services.

Contract

This is where you choose to enter into an agreement with us or make an enquiry with the intention of entering into an agreement. This includes the terms and conditions for the ongoing management of those accounts, and products and services once opened.

If you do not enter into an agreement with us we will be unable to continue with your application and provide the ongoing management of your accounts, products and services.

Legitimate business interest

This is where we or another third party has a valid interest in the personal data we collect, use, share and keep as long as it does not unduly affect you or cause you undue detriment, damage or distress.

You have a right to challenge our legitimate interest if you believe we do not have a valid reason to collect, use, share or hold your data.

Marketing Consent

This is where we ask for your agreement to contact you specifically promote to our services to you.

You can withdraw your consent at any time.

If you withdraw your consent for marketing you may miss out on information about our products, services, offers and other news that may be of interest to you.

You can change your marketing consents at any time by calling 0113 242 3237 or emailing info@skiptonbf.co.uk

Explicit consent

Where we collect, use, share or keep special category (sensitive) personal data we will tell you and ask for your explicit consent before we do this.

Vital interest

This is applied in very limited circumstances where we feel you or another individual may be at serious risk (e.g. life or death circumstances) and no other lawful basis can be applied.

We will use your personal data to:

  • identify you
  • understand your needs and experience with us
  • deal with enquiries and complaints made by you or about you in relation to our services and/or website
  • open and manage your accounts, payments, transactions and relationships with us
  • enable your use of service available on our website
  • personalise our website to improve your browsing experience
  • Communicate with you by sending you:‐
    • general service information (non marketing) commercial communications
    • email notifications which you have specifically requested
    • our newsletter and other marketing communications relating to our business which we think may be of  interest to you by post, or where you have specifically agreed to email or similar technology (you can inform us at any time if you no longer want to receive marketing communications by contacting us on 01756 694068 or emailing info@skiptonbf.co.uk We will never provide your personal information to any third parties for the purpose of direct marketing.
  •  Carry out credit and identity checks
  • Detect and prevent fraud
  • Administer and manage disputes and/or legal claims

Credit and Identity Checks

In order to process your application, we are required by law to identify you and assess the affordability of the products and services you apply for. We do this by using automated systems provided by one or more credit reference agencies. If you take products and services from us we may also make periodic searches at credit reference agencies to manage your account in future.

To do this, we will share your data with the credit reference agencies and they will give us data about you. This will include public data (e.g. from the electoral register) and other data (e.g. from your credit applications) about your financial situation, financial history, shared credit and specific fraud prevention data.

We will use this data to:

  • identify you
  • assess your creditworthiness and whether you can afford to take the product
  • prevent criminal activity, fraud and money laundering
  • manage your accounts
  • trace and recover debts
  • ensure any offers provided to you are appropriate to your circumstances

We will continue to exchange data about you with credit reference agencies while you have a relationship with us.

When credit reference agencies carry out a search they will place a footprint on your credit file that may be seen by other lenders.

Credit reference agencies will link your records together if they identify a link between you and/or any individual identified as your spouse or financial partner. These links will remain on the files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.

The credit reference agency checks we carry out are a condition of the contract you take out when applying for products and services with us.

Any documents requested or provided to help prove your identity may be checked with the issuing authority and/or anyone who has certified a copy.

The data from the credit reference agencies is used to automatically assess your application against the Skipton Business Finance facility underwriting criteria. If your application is declined based on this automatic assessment you have a right to challenge the decision. If you do not agree with the assessment you can contact us to challenge the decision and we will give you the opportunity to discuss this with us and review the results of the assessment for accuracy.

The information we obtain from credit reference agencies is owned by them and limited to what needed for our own purposes. We will tell you if your application is rejected because of information we have received from credit reference agencies but will not be able to provide any details. You will need to contact the credit reference agencies directly to request a full credit report if you require details of what they hold about you.

More details about which credit reference agencies we use, their role as fraud prevention agencies, what personal data they hold (including how they use and share it), their retention periods and your data protection rights with the credit reference agencies are explained in more detail in the Credit Reference Agency Data Notice (CRAIN).

The CRAIN is accessible from each of the three credit reference agencies – clicking on any of the three links below will take you to the same CRAIN document:

Callcredit; EquifaxExperian.

Fraud Prevention

We will use and share your data with fraud prevention agencies to carry out checks for the prevention of fraud, money laundering and to verify your identity.

We and fraud prevention agencies may also allow law enforcement agencies to access and use your data to detect, investigate and prevent crime.

The fraud prevention checks we carry out are a condition of the contract you take out when applying for products and services with us.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies.

Fraud prevention agencies can hold your data for different periods of time. If you are considered to pose a fraud or money laundering risk your data can be held for up to six years.

Data held by credit reference and fraud prevention agencies can be accessed by other financial organisations, law enforcement and government agencies and may result in others refusing to provide services, finance or employment to you.

Quality Assurance

We may sometimes monitor your telephone calls for reasons of staff training. Should this be the case, you will be informed at the beginning of the call.

Communicating with you

We will use any of the contact details we hold for you to communicate with you about the products and services you hold with us, contact you as requested and to send you information we are required to provide you with by law (e.g. account statements, notification of annual and extraordinary general meetings).

Marketing

We may use your information to provide details about our products, services, news and offers that we believe may be of interest to you.

We will only get in touch with these types of communication if you have given your consent to be contacted for marketing purposes, and only contact you by the methods you have agreed to (e.g. post, telephone, email, text).

We may pass on your details to a third party intermediary but only if consent has been given.

You can change your marketing consents at any time by calling 01756 694068 or emailing info@skiptonbf.co.uk

Transfers outside the EEA

Certain of the suppliers, applications and systems that we use to support the provisions of our services rely upon transfers of data outside the United Kingdom (UK), European Economic Area (EEA) and countries not on an approved list for having adequate data protection laws in place.

When we use third party systems, application support and cloud based providers that are either based outside of or send data outside of the UK or EEA, we will where necessary impose contractual obligations on the recipients to help safeguard your rights in respect of your data.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. 

We have a records management and retention policy in place to determine how long personal data needs to be kept which is based on our legal, regulatory and business requirements. How long we keep your personal data is based on the client account status and the types of accounts, products and services associated with us. When determining retention periods we consider the following:

  • Legal and regulatory guidance, case law and expected outcomes
  • Maximum or minimum retention periods identified by the law or our regulators
  • Ours and others contractual rights and obligations
  • Your expectations
  • Current or future operational requirements
  • The cost of maintaining, storing, archiving, and retrieving the data
  • Forensic requirements, for example the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
  • Our policies and standards
  • The risks involved in retention, deletion and removal
  • The capability or restraints of our systems and technology

Prospective Clients / Clients

If you make an enquiry but do not continue to client status, we will keep your information for 6 months.

If you do take our service, we will hold your information for up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.

Client Related Suppliers / Customers 

Longevity of the client and up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.

Suppliers

We will hold information for up to 30 years after the term of the relationship.

Data Subject Access Requests

If you make an enquiry with regard to data held about you, the required documentation you send will remain on file for 3 months.

Your Rights

You have certain rights in relation to your personal data, not all rights apply in all cases, and these are explained in more detail below:

Be informed

The purpose of this privacy statement is to do this. We also do this by giving a notice in our application process, web pages and telephone scripts when we collect new or additional data from you. See the list below for details of the information we are required to include:

  • who is collecting, using, sharing and keeping your personal data
  • the reason it is being collected
  • what it will be used for
  • what allows its collection, use, sharing and storing
  • how we work out how long it will be kept
  • what countries outside the European Economic Area (EEA) it will be transferred to and the security measures in place
  • what your rights are

Access your personal data

We will allow you access and give you details of the personal data we hold about you including the data covered in your right to be informed above.

Have inaccurate or incomplete personal data corrected

We will correct and/or update your personal data if you inform us or we identify that it is inaccurate or incomplete.

Request erasure

We will delete your personal data if:

  • we no longer need it for the reason(s) we told you
  • you withdraw your consent and this is the only lawful basis (as explained in section 4 of this Privacy Statement) allowing us to collect, use, share and/or keep it
  • you object and we do not have a valid business interest that does not unduly affect you or cause you undue detriment, damage or distress
  • the collection, use, sharing, keeping of it is unlawful
  • we are required by law to do so

Restrict the collection use, sharing and keeping of personal data

We will put on hold the collection, use, sharing and deletion of your personal data when:

  • its accuracy needs to be verified
  • you have objected and we need to consider if our legitimate business interest overrides your request
  • it has been collected, used, shared or kept unlawfully and you have requested that it’s not deleted but want it to be restricted
  • we no longer need it but you request it to establish, exercise or defend a legal claim

We will tell you before we remove any restrictions.

Object

You can object to the collection, use, sharing and retention of your personal data where:

  • you feel our legitimate business interest will cause you undue detriment, damage or distress where this is the lawful purpose for collecting, using, sharing or keeping data
  • You do not agree to direct marketing (including profiling)

If you have any concerns about how we collect, use, share or keep your personal data, or you think there has been a breach, you can contact us to make a complaint or find out more about our complaints procedure by going to www.skiptonbusinessfinance.co.uk/contact us,

If you do make a complaint we will follow our internal complaints procedure to resolve your complaint quickly and fairly. If we cannot resolve your complaint to meet your expectations, you may contact:

UK Finance 5th Floor
1 Angel Court
30 Throgmorton Street
London 
EC2R 7HJ
Telephone 020 7706 3333
Web:  www.ukfinance.org.uk 

You also have a right to complain to the Information Commissioner’s office if you have any concerns about how we collect, use, share or keep your personal data by contacting them at:

Information Commissioner’s Office 
Wycliffe House
Water Lane 
Wilmslow 
Cheshire SK9 5AF
Telephone: 0303 123 1113 
Web:  www.ico.org.uk

If you require any more details about how we collect, use, share and store your personal data, or about your rights and how to exercise them, please contact us:

Data Protection Dept 
Skipton Business Finance 
The Bailey
Skipton
North Yorkshire
BD23 1DN