1. Who we are and who is responsible for your Personal Data
1.1 British Business Bank plc is registered in England and Wales with company number 08616013. British Business Bank with its registered office at Steel City House, West Street, Sheffield, S1 2GQ. 1.2 As the holding company of the group operating under the trading name of British Business Bank, British Business Bank plc is a development bank wholly owned by HM Government which is not authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA). British Business Bank plc and its subsidiary entities are not banking institutions and do not operate as such. A complete legal structure chart for British Business Bank plc and its subsidiaries can be found at www.british-business-bank.co.uk. 1.3 This Privacy Notice explains how we use the Personal Data that we receive, collect or generate in relation to our services and products and through our various Websites, including www.british-business-bank.co.uk (the “Websites”). 1.4 British Business Bank plc is the controller and responsible for the Websites. 1.5 In this Privacy Notice:
“Company” “we”, “us” or “our” refers to the relevant company in the British Business Bank group responsible for processing your data. We will let you know which entity will be the controller for your data when you arrange a product or service with us
“British Business Bank” means British Business Bank plc and other companies in the British Business Bank group (including without limitation, the Start Up Loans Company (registration number 08117656), British Business Finance Ltd (registration number 09091928), British Business Investments Ltd (registration number 09091930) and British Business Financial Services Ltd (registration number 09174621); and
“Personal Data” means any data which relates to a living individual who can be identified from that data or from other information which is in the possession of, or is likely to come into the possession of, the Company (or its representatives or service providers). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of the Company or any other person in respect of an individual.
2. What information we collect about you
2.1 Many of the services offered by the Company require us to collect Personal Data about you in order to perform our services, evaluate our marketing activities and offer our products or services. 2.2 We may collect and process the following Personal Data about you: A. Information that you provide to us.
We have set out below a description of the types of information about you which we may collect and process in different situations when you interact with us. The nature of our relationship with you will determine the kind of Personal Data we might ask for.
• Personal Data that we generally process regardless of how you contact us, or for whatever reasons (including any surveys which we use for research evaluation purposes, if you chose to respond to them), such as your: first name, family name, email address, phone number and/or correspondence address;
• Personal Data that you submit online via our Websites (including information on ethnicity and disability if you choose to provide it); and/or
• Personal Data that you submit to us, or to one of our partners, to become a customer, which, in addition to the above, may include: financial information, occupation and job details, any relevant income information, proof of identification or other identity documents, age and date of birth. B. Information that we collect or generate about you.
This includes (by way of non-exhaustive list):
• details of your visits to our Websites and the resources that you access (which may include, amongst other things; traffic data and communication data);
• information about our business relationships with you, such as a file with your contact history to be used for enquiry purposes so that we may ensure that you are satisfied with the services which we have provided to you; and/or
• any Personal Data that you provide to us in correspondence and during our interactions with you (including Personal Data that you provide during telephone and email communications with us, and/or via our Websites). C. Information we obtain about you from other sources: Cookies:
• information from publicly available sources (including third party agencies such as credit reference agencies, fraud prevention agencies, law enforcement agencies and public registers), such as your credit history; and/or
• information obtained from sanctions checking and background screening providers and information, such as your reasons for being on the sanctions list.
In addition to the categories of Personal Data described above, we will also process further anonymised information and data that is not processed by reference to a specific individual.
3. How we use your information
3.1 We will process Personal Data primarily to provide you with a service or product you have requested. However, there may be times when we are required to process Personal Data that is not part of our core business, for example where we have to comply with legal obligation or a public duty required of us by law.
3.2 Your Personal Data may be stored and processed by us in the following ways and for the following purposes: A. Maintain and improve customer experience
• To allow you to use and access the services and products provided by the Company.
• For our internal purposes, such as research and analysis, reporting, quality control, Website performance, system administration and to evaluate use of our Websites, so that we can provide you with enhanced services.
• To invite you to attend focus groups to further improve our Websites and/or products and services.
• The administration and maintenance of databases storing Personal Data.
• To conduct analysis required to detect malicious data and understand how this may affect your IT system.
• To create reports to assist with future marketing.
• To enable you to participate in interactive features of our Websites, when you choose to do so.
• To ensure that our Website content is presented as effectively as possible for you.
• For ongoing review and improvement of the information provided on the Website to ensure it is user friendly and to prevent any potential disruptions or cyber-attacks.
• For statistical monitoring and analysis of current attacks on devices and systems and for the on-going adaptation of the solutions provided to secure devices and systems against current attacks.
• For analytical and administrative purposes (including to keep a record of the types of finance that SME are seeking;
• To evaluate the effectiveness of our Websites.
• For the management and administration of our business.
• To ensure that content from our Websites is presented in the most effective manner for you and your computer.
• Enabling quick and easy access to information on our services and products.
• Offering optimal, up-to-date security solutions for mobile devices and IT systems.
• Obtaining further knowledge of current threats to network security in order to update our security solutions and provide these to the market.
• To allow you to participate in interactive features of volunteering, when you choose to do so.
• Please note that we will collect behavioural data about you and how you interact with our Websites, including location data. This data may be used to personalise and improve your experience of the Websites. In some instances this data will be used to inform targeted marketing and advertising. B. Let people know about products and service updates
• To notify you about changes to our services and products.
• To communicate with you in order to provide you with information about our services and mandate.
• To keep you updated about events in your area that could help you with your business. C. Market products and services • To provide you with information or services that you request from us, or which we feel may interest you.
Please note that we may also use your Personal Data in case studies that we produce which will then be used for advertising and marketing purposes. We will obtain your consent to do this in advance. D. Deal with complaints
• For complaint handling purposes. E. Fulfil our legal obligations
• In order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures. F. Product and service designs and improvement
• To help us improve our services and products.
• To understand your needs and interests.
• To understand feedback on our services and products and to help provide more information on the use of those products and services quickly and easily. G. Equality and monitoring purposes
• For monitoring and equal opportunities purposes H. Maintain our business processes
• To allow us to effectively and efficiently manage and administer the operation of our business. I. Comply with internal policies
• To maintain compliance with internal policies and procedures. J. Monitor our copyright materials
• To monitor the use of our copyrighted materials. K. Legal rights
• To exercise and defend our legal rights. L. Credit worthiness checks To perform credit checks.
We may use the information you provide to us to perform a credit check. In order to do this we may share your information with credit reference agencies. We will use the information we receive from credit reference agencies to:
– assess your application for credit and/or;
– check details on applications for credit and credit related or other facilities;
– verify your identity and, the identity of your spouse, partner or other directors/partners but only if they are a party to your application;
– undertake checks for the prevention and detection of crime, fraud and/or money laundering; and
– undertake periodic statistical analysis or testing to ensure the accuracy of existing and future products and services. M. Credit processing • To provide information you ask for.
We often use third parties (delivery partners) who have expertise in certain areas to help us deliver our products and services. We will share your information with the relevant delivery partner to progress your application. Delivery partners have an obligation to keep your data secure. Where you borrow or may borrow from us through one of our delivery partners, we may share details of your personal and/or business account (if you have one), including names and parties to the account and how you manage it/them to credit reference agencies.
If you borrow and do not repay in full and on time, the credit reference agencies may be advised and steps will be taken to trace you and to recover the debt owed. In this case a contract debt collection agency may be instructed to help recover the funds.
We may make periodic searches of our own group records and at credit reference agencies to manage your account, including whether to make credit available or to continue or extend existing credit. We may also check at fraud prevention agencies to prevent crime and money laundering.
N. Preventing fraud • To help us prevent fraud, money laundering and other crimes.
We will also conduct a search at fraud prevention agencies for information held about you, any addresses at which you have lived and any information about your business (if you have one). If you give us false or inaccurate information and we suspect or identify fraud we will record this and may also pass this information to fraud prevention agencies and other organisations involved in crime and fraud prevention.
4. The legal bases for our processing of your Personal Data
4.1 We make sure that our use of Personal Data complies with law and the law allows us and requires us to use Personal Data for a variety of reasons, for instance where: A. we need to do so in order to perform our contractual obligations with you (or any organisation with which you are associated); B. we have obtained your consent; C. we have legal and regulatory obligations that we have to discharge; D. we may need to do so in order to establish, exercise and/or defend our legal rights or for the purpose of legal proceedings; E. the use of your Personal Data is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the Company; and/or F. the use of your Personal Data as described is necessary for our legitimate business interest (or the legitimate interests of the British Business Bank), such as:
– allowing us to effectively and efficiently manage and administer the operation of our business;
– maintaining compliance with internal policies and procedures;
– monitoring the use of our copyrighted materials; and/or
– enabling quick and easy access to information on our services and products.
5. Sensitive Personal Data that we collect about you
5.1 Certain forms of “sensitive personal data” are subject to specific protection or restriction by law in certain territories, including the EU. For these purposes, “sensitive personal data” is data relating to: racial or ethnic origin; criminal activity or proceedings in certain countries; political opinions; religious or philosophical beliefs; trade union membership genetic data, biometric data, data concerning health or sex life or sexual orientation. We will only process your sensitive personal data if permitted by law and only if one of the following conditions is met: A. you have given explicit consent in writing to the processing of the data; B. the processing is necessary for the prevention or detection of crime or acts of dishonesty, malpractice or other improper conduct; or C. there is any other legal or regulatory justification for processing.
6. How we may use automated decision making
6.1 We do not make decisions about you using only technology, where none of our employees or any other individuals have been involved. In the event that we introduce automated decision making we will update this Privacy Notice accordingly.
7. How we safeguard your information
7.1 We will keep Personal Data secure by taking appropriate technical and staff measures to protect it against the unauthorised or unlawful processing and against accidental loss, destruction or damage.
7.2 We have extensive controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.
7.3 As a condition of employment, British Business Bank employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to sensitive Personal Data is limited to those employees who need to it to perform their roles. Unauthorised use or disclosure of confidential client information by a British Business Bank employee is prohibited and may result in disciplinary measures.
7.4 When you contact a British Business Bank employee about your file, you may be asked for some Personal Data. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.
7.5 We review this Privacy Notice and our other data protection policies annually to make sure they are appropriate and up to date. We also carry out regular audits to monitor our security policies and procedures and revise them if necessary.
8. How long we keep your information
8.1 How long we will hold your Personal Data for will vary and will be determined by the following criteria:
A. the purpose for which we are using it – the Company will need to keep the data for at least as long as is necessary for that purpose; and
B. legal obligations – laws or regulations may set a minimum period for which we have to keep your Personal data.
9. Where we transfer your information to
9.1 We will not routinely transfer your Personal Data to, or store it, outside the European Economic Area (“EEA”).
9.2 If we do transfer your Personal Data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. This may be done in a number of different ways, for instance:
– the country that we send the data to might be approved by the European Commission as offering an adequate level of protection for Personal Data;
– the recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your Personal Data;
– where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme; or
– in other circumstances the law may permit us to otherwise transfer your Personal Data outside the EEA.
9.3 The Personal Data that we collect from you may also be otherwise transferred to, and stored at, destinations outside the EEA. It may also be processed by individuals operating outside of the EEA who work for one of our suppliers.
9.4 In all cases, however, we will ensure that any transfer of your Personal Data is compliant with the applicable data protection law.
9.5 You can obtain more details about the protection given to your Personal Data when it is transferred outside the EEA (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us through the methods listed in the ‘How to contact us’ section below.
10. Who we share your information with
10.1 We may share your Personal Data within the British Business Bank group of companies for the purposes described above. You can find out more about British Business Bank by visiting https://british-business-bank.co.uk/.
10.2 We will also share your information with our trusted partners so that they can consider your eligibility for support/as well as Government departments and other associated partner organisations to Government and public-sector bodies for research purposes. A partner may be a company within the British Business Bank itself or an organisation that is contracted by the British Business Bank. For a full list of partners please refer to www.british-business-bank.co.uk.
10.3 We may also share your Personal Data outside of the British Business Bank group with the following third parties:
• with our delivery partners for the purpose of carrying out our contractual or business interests (including credit reference checks where applicable);
• with third party agents and contractors for the purposes of enabling them to provide data analysis, customer support, storage and other services to us (for example, accountants, professional advisors, IT and communications providers and debt collectors) and any entity we may appoint from time to time to evaluate the effectiveness of the Websites. These third parties will be subject to appropriate confidentiality requirements and they will only use your Personal Data as described in this Privacy Notice;
• to the extent required by law, for example if we are under a duty to disclose your Personal Data in order to comply with any legal obligation (including, without limitation, in order to comply with tax reporting requirements and disclosures to regulators), or to establish, exercise or defend its legal rights;
• if we (or any company in the British Business Bank group) undergo a business restructure or sell, buy or otherwise transfer any business or assets, in which case we may disclose your Personal Data to the prospective buyer for due diligence purposes; and
• if we are or substantially all of our assets are acquired by a third party (or any company in the British Business Bank group or substantially all of the assets of a company in the British Business Bank group are acquired by a third party), in which case Personal Data held by us about you will be disclosed to the third party buyer.
11.1 We may use your information to provide you with marketing information that you request or that we feel may interest you by post, email and/or telephone (including SMS) as follows:
– If you are an existing customer or have taken steps to become a customer by using the Websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
– If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.
11.2 We will not pass your information to third parties for their marketing purposes.
11.3 We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up-to-date with information you have expressed an interest in; however, if you feel you no longer wish to receive communications from us, you are able to ‘opt out’ of them individually at any time. Please see 11.4 below for information about how to do this.
11.4 If you do not want us to use your information for marketing purposes, please indicate your preference via the relevant boxes on any forms you submit when you are providing your contact information. You may also change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your information for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.
12. Confidential information
12.1 Please note that under the Freedom of Information Act 2000, we are only permitted to protect information that is actually confidential in law and where, if we were to disclose it, we could be sued for breach of confidence.
12.2 Information you give us which you may consider confidential, or may mark as confidential, may in fact not be confidential in law. However, in respect of any information we receive from you that is truly confidential, we will take steps to ensure it remains confidential.
12.3 Unauthorised disclosure or misuse of Personal Data by staff will lead to disciplinary action.
13. Your rights under data protection legislation
13.1 You have a number of legal rights in relation to the Personal Data that we hold about you. These rights include:
• the right to see a copy of the information we hold about you (with the exception of the assessment of any application for finance or other products);
• where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so;
• the right to be removed from our mailing lists, and those of our partner organisations;
• in some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us;
• the right to correct any errors in information we hold about you, and to change or correct any details you have already given us (by contacting us through the methods listed in the ‘How to contact us’ section below);
• the right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data but we are legally entitled to retain it;
• the right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data but we are legally entitled to refuse that request; and
• the right to lodge a complaint with the Information Commissioner’s Office (details of which are provided below) if you think that any of your rights have been infringed by us.
13.2 You can exercise your rights by contacting us using the details set out in the “How to contact us” section below.
14. Changes to this Privacy Notice
14.1 We may make changes to this Privacy Notice at any time by sending you an email with the modified terms or by posting a copy of them on our Websites.
14.2 Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on the Websites, whichever is earlier. Your continued use of our Websites after the expiry of this period means that you agree to be bound by the modified Privacy Notice.
15. How to contact us
15.1 If you have any questions or comments regarding how we handle your Personal Data, please contact our Data Protection Officer at: Email Address:DataProtection@british-business-bank.co.uk Postal Address: The Data Protection Officer, British Business Bank, Steel City House,
West Street, Sheffield, S1 2GQ.
15.2 In the event that you would like to lodge a complaint, relating to our use of your personal data, you can do so by contacting the Information Commissioner’s Office: Web: https://ico.org.uk/global/contact-us/ Email:firstname.lastname@example.org Phone: 0303 123 1113 (9am – 4.30pm, Monday to Friday)