Data Privacy Notice
‘We’, ‘our’, ‘us’, ‘Skipton Business Finance’ and ‘SBF’ in this Privacy Notice means Skipton Business Finance Limited. Skipton Business Finance Limited is a controller, responsible for the protection of the data it collects about you.
This Privacy Notice explains the types of personal data we collect, what we do with it, who we share it with, how long we keep it and your rights.
It does not extend to other organisations, such as any external websites you may access from our website. Other organisations will inform you how they use your personal data.
We may collect, use, share and keep the following type of personal data about you:
Name, title, address, contact details (including any previous changes), date of birth and/or age | To:
|
Business Role (e.g. director, partner, shareholder, sole trader, company secretary) | To:
|
Account data (including performance information) | To:
|
Criminal convictions, pending convictions bankruptcy/receivership, county court judgements and court records | To:
|
Information about your computer and your visits to and use of our website (including your IP/MAC address, geographical location, browser type and version, operating systems, referral source, length of visit, page views, and website navigation) | To:
|
The data protection regulations call certain types of sensitive data ‘special category’ data. These include: ethnic or racial origin; health; political opinions; religious or philosophical beliefs; trade union membership; sex life or sexual orientation and genetics or biometrics. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. We collect personal data about criminal convictions, (including pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders). This is limited to the minimum required. If we make an adjustment to our service due to a health condition, we will aim to record the adjustment without reference to the health condition unless it is necessary to also record this information to effectively make the adjustment.
We only collect and use special category personal data with your explicit consent, or if we are required to by law, there is an overriding public interest, or where we believe you or someone else may be at risk.
Solicitors, accountants, brokers and other professional advisers | To:
|
Financial organisations | To:
|
Mailing houses and printers | To provide you with:
We will only send you marketing material when you have given us your consent. Upon giving us your consent, you will also be entitled to opt out of any future marketing related communications. |
Information Technology service providers | To:
|
Credit reference agencies | To:
|
Fraud prevention agencies | To:
|
Law enforcement agencies including police forces, private investigators, security organisations and prosecuting authorities | To:
|
Courts and tribunals | To:
|
Ombudsmen and regulatory organisations (e.g. Financial Ombudsman Service, Financial Conduct Authority, Prudential Regulation Authority, Financial Services Compensation Scheme, Information Commissioners Office) | To:
|
Trade associations and industry groups | To:
|
HMRC | To:
|
Central and local government departments and agencies (eg Department of Work and Pensions (DWP), Jobcentre Plus, local councils) | To:
|
Field agents, debt collection agencies, tracing agents and appointed receivers and trustees in bankruptcy | To:
|
Research and insight agencies | To:
In addition we use data for profiling and customer segmentation to create a broad understanding of our customers. This helps shape our communications, products and the overall customer experience including how we handle phone calls and other customer contacts. |
Management Consultancy firms | To:
|
Other organisations involved in handling mergers, acquisitions and other corporate transactions | To:
We will only do this with adequate protection and with a contract in place to protect the security and confidentiality of your information. |
External auditors, risk and rating agencies (eg Moodys, Fitch) | To:
|
Data modelling and risk organisations | To:
|
Skipton Building Society and other affiliates of the Skipton Group |
|
Certain of the suppliers, applications and systems that we use to support the provisions of our services rely upon transfers of data outside the United Kingdom (UK), European Economic Area (EEA) and countries not on an approved list for having adequate data protection laws in place.
When we use third party systems, application support and cloud based providers that are either based outside of or send data outside of the UK or EEA, we will where necessary impose contractual obligations on the recipients to help safeguard your rights in respect of your data.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
We can only collect, use, share and keep your personal data when we have a lawful basis for doing so. The lawful basis will be different dependant on the relationship you have with us and what we do with your personal data.
To find out more about what the different lawful bases are, what they mean and how they affect you, see below:
Legal obligation | Where we are required by law to collect, use, share or keep personal data we will do so. As an organisation operating in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. Our regulators are the Financial Conduct Authority, Prudential Regulation Authority, and for personal data the Information Commissioner’s Office. If we are unable to meet our legal obligations we will be unable to continue with your application and provide the ongoing management of your accounts, products and services. |
Contract | This is where you choose to enter into an agreement with us or make an enquiry with the intention of entering into an agreement. This includes the terms and conditions for the ongoing management of those accounts, and products and services once opened. If you do not enter into an agreement with us we will be unable to continue with your application and provide the ongoing management of your accounts, products and services. |
Legitimate business interest | This is where we or another third party has a valid interest in the personal data we collect, use, share and keep as long as it does not unduly affect you or cause you undue detriment, damage or distress. You have a right to challenge our legitimate interest if you believe we do not have a valid reason to collect, use, share or hold your data. |
Marketing Consent | This is where we ask for your agreement to contact you specifically promote to our services to you. You can withdraw your consent at any time. If you withdraw your consent for marketing you may miss out on information about our products, services, offers and other news that may be of interest to you. You can change your marketing consents at any time by calling 0113 242 3237 or emailing info@skiptonbf.co.uk |
Explicit consent | Where we collect, use, share or keep special category (sensitive) personal data we will tell you and ask for your explicit consent before we do this. |
Vital interest | This is applied in very limited circumstances where we feel you or another individual may be at serious risk (e.g. life or death circumstances) and no other lawful basis can be applied. |
We will use your personal data to:
- identify you
- understand your needs and experience with us
- deal with enquiries and complaints made by you or about you in relation to our services and/or website
- open and manage your accounts, payments, transactions and relationships with us
- enable your use of service available on our website
- personalise our website to improve your browsing experience
- Communicate with you by sending you:‐
- general service information (non marketing) commercial communications
- email notifications which you have specifically requested
- our newsletter and other marketing communications relating to our business which we think may be of interest to you by post, or where you have specifically agreed to email or similar technology (you can inform us at any time if you no longer want to receive marketing communications by contacting us on 0113 242 3237 or emailing info@skiptonbf.co.uk We will never provide your personal information to any third parties for the purpose of direct marketing.
- Carry out credit and identity checks
- Detect and prevent fraud
- Administer and manage disputes and/or legal claims
Credit and Identity Checks
In order to process your application, we are required by law to identify you and assess the affordability of the products and services you apply for. We do this by using automated systems provided by one or more credit reference agencies. If you take products and services from us we may also make periodic searches at credit reference agencies to manage your account in future.
To do this, we will share your data with the credit reference agencies and they will give us data about you. This will include public data (e.g. from the electoral register) and other data (e.g. from your credit applications) about your financial situation, financial history, shared credit and specific fraud prevention data.
We will use this data to:
- identify you
- assess your creditworthiness and whether you can afford to take the product
- prevent criminal activity, fraud and money laundering
- manage your accounts
- trace and recover debts
- ensure any offers provided to you are appropriate to your circumstances
We will continue to exchange data about you with credit reference agencies while you have a relationship with us.
When credit reference agencies carry out a search they will place a footprint on your credit file that may be seen by other lenders.
Credit reference agencies will link your records together if they identify a link between you and/or any individual identified as your spouse or financial partner. These links will remain on the files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.
The credit reference agency checks we carry out are a condition of the contract you take out when applying for products and services with us.
Any documents requested or provided to help prove your identity may be checked with the issuing authority and/or anyone who has certified a copy.
The data from the credit reference agencies is used to automatically assess your application against the Skipton Business Finance facility underwriting criteria. If your application is declined based on this automatic assessment you have a right to challenge the decision. If you do not agree with the assessment you can contact us to challenge the decision and we will give you the opportunity to discuss this with us and review the results of the assessment for accuracy.
The information we obtain from credit reference agencies is owned by them and limited to what needed for our own purposes. We will tell you if your application is rejected because of information we have received from credit reference agencies but will not be able to provide any details. You will need to contact the credit reference agencies directly to request a full credit report if you require details of what they hold about you.
More details about which credit reference agencies we use, their role as fraud prevention agencies, what personal data they hold (including how they use and share it), their retention periods and your data protection rights with the credit reference agencies are explained in more detail in the Credit Reference Agency Data Notice (CRAIN).
The CRAIN is accessible from each of the three credit reference agencies – clicking on any of the three links below will take you to the same CRAIN document:
Callcredit; Equifax; Experian.
Fraud Prevention
We will use and share your data with fraud prevention agencies to carry out checks for the prevention of fraud, money laundering and to verify your identity.
We and fraud prevention agencies may also allow law enforcement agencies to access and use your data to detect, investigate and prevent crime.
The fraud prevention checks we carry out are a condition of the contract you take out when applying for products and services with us.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies.
Fraud prevention agencies can hold your data for different periods of time. If you are considered to pose a fraud or money laundering risk your data can be held for up to six years.
Data held by credit reference and fraud prevention agencies can be accessed by other financial organisations, law enforcement and government agencies and may result in others refusing to provide services, finance or employment to you.
Quality Assurance
We may sometimes monitor your telephone calls for reasons of staff training. Should this be the case, you will be informed at the beginning of the call.
Communicating with you
We will use any of the contact details we hold for you to communicate with you about the products and services you hold with us, contact you as requested and to send you information we are required to provide you with by law (e.g. account statements, notification of annual and extraordinary general meetings).
Marketing
We may use your information to provide details about our products, services, news and offers that we believe may be of interest to you.
We will only get in touch with these types of communication if you have given your consent to be contacted for marketing purposes, and only contact you by the methods you have agreed to (e.g. post, telephone, email, text).
We may pass on your details to a third party intermediary but only if consent has been given.
You can change your marketing consents at any time by calling 0113 242 3237 or emailing info@skiptonbf.co.uk
Transfers outside the EEA
Certain of the suppliers, applications and systems that we use to support the provisions of our services rely upon transfers of data outside the United Kingdom (UK), European Economic Area (EEA) and countries not on an approved list for having adequate data protection laws in place.
When we use third party systems, application support and cloud based providers that are either based outside of or send data outside of the UK or EEA, we will where necessary impose contractual obligations on the recipients to help safeguard your rights in respect of your data.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
We have a records management and retention policy in place to determine how long personal data needs to be kept which is based on our legal, regulatory and business requirements. How long we keep your personal data is based on the client account status and the types of accounts, products and services associated with us. When determining retention periods we consider the following:
- Legal and regulatory guidance, case law and expected outcomes
- Maximum or minimum retention periods identified by the law or our regulators
- Ours and others contractual rights and obligations
- Your expectations
- Current or future operational requirements
- The cost of maintaining, storing, archiving, and retrieving the data
- Forensic requirements, for example the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
- Our policies and standards
- The risks involved in retention, deletion and removal
- The capability or restraints of our systems and technology
Prospective Clients / Clients
If you make an enquiry but do not continue to client status, we will keep your information for 6 months.
If you do take our service, we will hold your information for up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.
Client Related Suppliers / Customers
Longevity of the client and up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.
Suppliers
We will hold information for up to 30 years after the term of the relationship.
Data Subject Access Requests
If you make an enquiry with regard to data held about you, the required documentation you send will remain on file for 3 months.
Your Rights
You have certain rights in relation to your personal data, not all rights apply in all cases, and these are explained in more detail below:
Be informed | The purpose of this privacy statement is to do this. We also do this by giving a notice in our application process, web pages and telephone scripts when we collect new or additional data from you. See the list below for details of the information we are required to include:
|
Access your personal data | We will allow you access and give you details of the personal data we hold about you including the data covered in your right to be informed above. |
Have inaccurate or incomplete personal data corrected | We will correct and/or update your personal data if you inform us or we identify that it is inaccurate or incomplete. |
Request erasure | We will delete your personal data if:
|
Restrict the collection use, sharing and keeping of personal data | We will put on hold the collection, use, sharing and deletion of your personal data when:
We will tell you before we remove any restrictions. |
Object | You can object to the collection, use, sharing and retention of your personal data where:
|
If you have any concerns about how we collect, use, share or keep your personal data, or you think there has been a breach, you can contact us to make a complaint or find out more about our complaints procedure by going to www.skiptonbusinessfinance.co.uk/contact us,
If you do make a complaint we will follow our internal complaints procedure to resolve your complaint quickly and fairly. If we cannot resolve your complaint to meet your expectations, you may contact:
UK Finance 5th Floor1 Angel Court30 Throgmorton StreetLondon EC2R 7HJTelephone 020 7706 3333Web: www.ukfinance.org.uk
You also have a right to complain to the Information Commissioner’s office if you have any concerns about how we collect, use, share or keep your personal data by contacting them at:
Information Commissioner’s Office Wycliffe HouseWater Lane Wilmslow Cheshire SK9 5AFTelephone: 0303 123 1113 Web: www.ico.org.uk
If you require any more details about how we collect, use, share and store your personal data, or about your rights and how to exercise them, please contact us:
Data Protection Dept Skipton Business Finance The BaileySkiptonNorth YorkshireBD23 1DN