Data Privacy Notice

Introduction

‘We’, ‘our’, ‘us’, ‘Skipton Business Finance’ and ‘SBF’ in this Privacy Notice means Skipton Business Finance Limited. Skipton Business Finance Limited is a controller, responsible for the protection of the data it collects about you.

This Privacy Notice explains the types of personal data we collect, what we do with it, who we share it with, how long we keep it and your rights.

It does not extend to other organisations, such as any external websites you may access from our website. Other organisations will inform you how they use your personal data.

Personal Data We Collect About You

We may collect, use, share and keep the following type of personal data about you:

Name, title, address, contact details (including any previous changes), date of birth and/or age

To:

identify you
communicate with you
manage your relationship with us
use for crime and fraud prevention purposes

Business Role (e.g. director, partner, shareholder, sole trader, company secretary)

To:

identify you
communicate with you
manage your relationship with us
use for crime and fraud prevention purposes

Account data (including performance information)

To:

manage your relationship and accounts with us
use for crime and fraud prevention purposes

Criminal convictions, pending convictions bankruptcy/receivership, county court judgements and court records

To:

assess the suitability of our accounts and services
use for crime and fraud prevention purposes

Information about your computer and your visits to and use of our website

(including your IP/MAC address, geographical location, browser type and version, operating systems, referral source, length of visit, page views, and website navigation)

To:

understand your needs and experience with us
manage your subscription to our website services
improve our systems and website services

The data protection regulations call certain types of sensitive data ‘special category’ data. These include: ethnic or racial origin; health; political opinions; religious or philosophical beliefs; trade union membership; sex life or sexual orientation and genetics or biometrics. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. We collect personal data about criminal convictions, (including pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders). This is limited to the minimum required. If we make an adjustment to our service due to a health condition, we will aim to record the adjustment without reference to the health condition unless it is necessary to also record this information to effectively make the adjustment.

We only collect and use special category personal data with your explicit consent, or if we are required to by law, there is an overriding public interest, or where we believe you or someone else may be at risk.

Who We Share Personal Data With and Why

Solicitors, accountants, brokers and other professional advisers	To: provide professional services manage your ongoing relationships administer and manage disputes and / or legal claims
Financial organisations	To: review and assess your suitability and application for products and services manage payments (including the use of payment services involving the transfer of electronic payments into or out of your account) and transactions respond to requests for the postponement of a charge on your property detect and prevent fraud assist with enquiries and investigations
Mailing houses and printers	To provide you with: service information (eg account statements) a range of other communications about our products, services, news and offers We will only send you marketing material when you have given us your consent. Upon giving us your consent, you will also be entitled to opt out of any future marketing related communications.
Information Technology service providers	To: provide third party systems, storage, software and application support
Credit reference agencies	To: verify your identity assess your suitability and affordability for accounts and services assess and confirm your credit worthiness
Fraud prevention agencies	To: carry out checks for the purposes of preventing fraud and money laundering verify your identity to assess your suitability for products and services
Law enforcement agencies including police forces, private investigators, security organisations and prosecuting authorities	To: assist with any ongoing investigations relating to the security and / or safety of individuals to detect and prevent crime
Courts and tribunals	To: respond to court and tribunal requests, manage and resolve complaints, disputes and / or legal claims
Ombudsmen and regulatory organisations (e.g. Financial Ombudsman Service, Financial Conduct Authority, Prudential Regulation Authority, Financial Services Compensation Scheme, Information Commissioners Office)	To: provide our regulatory and governing bodies with data about our business assist with enquiries, investigations, complaints and assessments
Trade associations and industry groups	To: assist with enquiries, investigations, complaints and assessments develop industry standards understand and predict trends in customer and financial behaviours
HMRC	To: provide information for tax reporting purposes assist with enquiries, investigations, complaints and assessments detect and prevent fraud
Central and local government departments and agencies (eg Department of Work and Pensions (DWP), Jobcentre Plus, local councils)	To: confirm payments received and ongoing benefits assist with enquiries, investigations, complaints and assessments
Field agents, debt collection agencies, tracing agents and appointed receivers and trustees in bankruptcy	To: understand your circumstances and financial situation assist in recovering debt locate you when we have been unable to contact you via our usual communication channels meet the law where receivers or trustees in bankruptcy have been appointed to deal with your financial affairs
Research and insight agencies	To: better understand our customers including their experiences, life‐stages, circumstances, needs and responses to current and potential Skipton Business Finance products, services and wider initiatives support a wide range of business decision making such as product development In addition we use data for profiling and customer segmentation to create a broad understanding of our customers. This helps shape our communications, products and the overall customer experience including how we handle phone calls and other customer contacts.
Management Consultancy firms	To: gain insights into market trends, consumer behaviour, competitors, technological change help make recommendations into future development and strategy get support with a range of business decisions
Other organisations involved in handling mergers, acquisitions and other corporate transactions	To: enable the sale or purchase of all or part of our business We will only do this with adequate protection and with a contract in place to protect the security and confidentiality of your information.
External auditors, risk and rating agencies (eg Moodys, Fitch)	To: support a wide range of business decision making such as product development validate reports facilitate the management and audit of business operations assist in meeting our legal obligations
Data modelling and risk organisations	To: understand and predict trends in customer and financial behaviours support a wide range of business decision making including the provision of credit to customers review and validate the accuracy of reports and / or model outputs from other organisations
Skipton Building Society and other affiliates of the Skipton Group	internal audit / compliance and financial crime regulatory requirements IT support Executive board requirements Escrow account support

Basis for Processing

Certain of the suppliers, applications and systems that we use to support the provisions of our services rely upon transfers of data outside the United Kingdom (UK), European Economic Area (EEA) and countries not on an approved list for having adequate data protection laws in place.

When we use third party systems, application support and cloud based providers that are either based outside of or send data outside of the UK or EEA, we will where necessary impose contractual obligations on the recipients to help safeguard your rights in respect of your data.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

What Allows Us To Collect, Use, Share And Keep Your Personal Data: Lawful Basis

We can only collect, use, share and keep your personal data when we have a lawful basis for doing so. The lawful basis will be different dependant on the relationship you have with us and what we do with your personal data.

To find out more about what the different lawful bases are, what they mean and how they affect you, see below:

Legal obligation	Where we are required by law to collect, use, share or keep personal data we will do so. As an organisation operating in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. Our regulators are the Financial Conduct Authority, Prudential Regulation Authority, and for personal data the Information Commissioner’s Office. If we are unable to meet our legal obligations we will be unable to continue with your application and provide the ongoing management of your accounts, products and services.
Contract	This is where you choose to enter into an agreement with us or make an enquiry with the intention of entering into an agreement. This includes the terms and conditions for the ongoing management of those accounts, and products and services once opened. If you do not enter into an agreement with us we will be unable to continue with your application and provide the ongoing management of your accounts, products and services.
Legitimate business interest	This is where we or another third party has a valid interest in the personal data we collect, use, share and keep as long as it does not unduly affect you or cause you undue detriment, damage or distress. You have a right to challenge our legitimate interest if you believe we do not have a valid reason to collect, use, share or hold your data.
Marketing Consent	This is where we ask for your agreement to contact you specifically promote to our services to you. You can withdraw your consent at any time. If you withdraw your consent for marketing you may miss out on information about our products, services, offers and other news that may be of interest to you. You can change your marketing consents at any time by calling 0113 242 3237 or emailing info@skiptonbf.co.uk
Explicit consent	Where we collect, use, share or keep special category (sensitive) personal data we will tell you and ask for your explicit consent before we do this.
Vital interest	This is applied in very limited circumstances where we feel you or another individual may be at serious risk (e.g. life or death circumstances) and no other lawful basis can be applied.

How We Use Your Personal Data

We will use your personal data to:

identify you
understand your needs and experience with us
deal with enquiries and complaints made by you or about you in relation to our services and/or website
open and manage your accounts, payments, transactions and relationships with us
enable your use of service available on our website
personalise our website to improve your browsing experience
Communicate with you by sending you:‐
- general service information (non marketing) commercial communications
- email notifications which you have specifically requested
- our newsletter and other marketing communications relating to our business which we think may be of interest to you by post, or where you have specifically agreed to email or similar technology (you can inform us at any time if you no longer want to receive marketing communications by contacting us on 01756 694068 or emailing info@skiptonbf.co.uk We will never provide your personal information to any third parties for the purpose of direct marketing.
Carry out credit and identity checks
Detect and prevent fraud
Administer and manage disputes and/or legal claims

Credit and Identity Checks

In order to process your application, we are required by law to identify you and assess the affordability of the products and services you apply for. We do this by using automated systems provided by one or more credit reference agencies. If you take products and services from us we may also make periodic searches at credit reference agencies to manage your account in future.

To do this, we will share your data with the credit reference agencies and they will give us data about you. This will include public data (e.g. from the electoral register) and other data (e.g. from your credit applications) about your financial situation, financial history, shared credit and specific fraud prevention data.

We will use this data to:

identify you
assess your creditworthiness and whether you can afford to take the product
prevent criminal activity, fraud and money laundering
manage your accounts
trace and recover debts
ensure any offers provided to you are appropriate to your circumstances

We will continue to exchange data about you with credit reference agencies while you have a relationship with us.

When credit reference agencies carry out a search they will place a footprint on your credit file that may be seen by other lenders.

Credit reference agencies will link your records together if they identify a link between you and/or any individual identified as your spouse or financial partner. These links will remain on the files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.

The credit reference agency checks we carry out are a condition of the contract you take out when applying for products and services with us.

Any documents requested or provided to help prove your identity may be checked with the issuing authority and/or anyone who has certified a copy.

The data from the credit reference agencies is used to automatically assess your application against the Skipton Business Finance facility underwriting criteria. If your application is declined based on this automatic assessment you have a right to challenge the decision. If you do not agree with the assessment you can contact us to challenge the decision and we will give you the opportunity to discuss this with us and review the results of the assessment for accuracy.

The information we obtain from credit reference agencies is owned by them and limited to what needed for our own purposes. We will tell you if your application is rejected because of information we have received from credit reference agencies but will not be able to provide any details. You will need to contact the credit reference agencies directly to request a full credit report if you require details of what they hold about you.

More details about which credit reference agencies we use, their role as fraud prevention agencies, what personal data they hold (including how they use and share it), their retention periods and your data protection rights with the credit reference agencies are explained in more detail in the Credit Reference Agency Data Notice (CRAIN).

The CRAIN is accessible from each of the three credit reference agencies – clicking on any of the three links below will take you to the same CRAIN document:

Callcredit ; Equifax; Experian.

Fraud Prevention

We will use and share your data with fraud prevention agencies to carry out checks for the prevention of fraud, money laundering and to verify your identity.

We and fraud prevention agencies may also allow law enforcement agencies to access and use your data to detect, investigate and prevent crime.

The fraud prevention checks we carry out are a condition of the contract you take out when applying for products and services with us.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies.

Fraud prevention agencies can hold your data for different periods of time. If you are considered to pose a fraud or money laundering risk your data can be held for up to six years.

Data held by credit reference and fraud prevention agencies can be accessed by other financial organisations, law enforcement and government agencies and may result in others refusing to provide services, finance or employment to you.

Quality Assurance

We may sometimes monitor your telephone calls for reasons of staff training. Should this be the case, you will be informed at the beginning of the call.

Communicating with you

We will use any of the contact details we hold for you to communicate with you about the products and services you hold with us, contact you as requested and to send you information we are required to provide you with by law (e.g. account statements, notification of annual and extraordinary general meetings).

Marketing

We may use your information to provide details about our products, services, news and offers that we believe may be of interest to you.

We will only get in touch with these types of communication if you have given your consent to be contacted for marketing purposes, and only contact you by the methods you have agreed to (e.g. post, telephone, email, text).

We may pass on your details to a third party intermediary but only if consent has been given.

You can change your marketing consents at any time by calling 01756 694068 or emailing info@skiptonbf.co.uk

Transfers outside the EEA

Data Management and Retention

We have a records management and retention policy in place to determine how long personal data needs to be kept which is based on our legal, regulatory and business requirements. How long we keep your personal data is based on the client account status and the types of accounts, products and services associated with us. When determining retention periods we consider the following:

Legal and regulatory guidance, case law and expected outcomes
Maximum or minimum retention periods identified by the law or our regulators
Ours and others contractual rights and obligations
Your expectations
Current or future operational requirements
The cost of maintaining, storing, archiving, and retrieving the data
Forensic requirements, for example the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
Our policies and standards
The risks involved in retention, deletion and removal
The capability or restraints of our systems and technology

Prospective Clients / Clients

If you make an enquiry but do not continue to client status, we will keep your information for 6 months.

If you do take our service, we will hold your information for up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.

Client Related Suppliers / Customers

Longevity of the client and up to 12 years after the term of the relationship; 25 years where criminal activity has been identified.

Suppliers

We will hold information for up to 30 years after the term of the relationship.

Data Subject Access Requests

If you make an enquiry with regard to data held about you, the required documentation you send will remain on file for 3 months.

Your Rights

You have certain rights in relation to your personal data, not all rights apply in all cases, and these are explained in more detail below:

Be informed	The purpose of this privacy statement is to do this. We also do this by giving a notice in our application process, web pages and telephone scripts when we collect new or additional data from you. See the list below for details of the information we are required to include: who is collecting, using, sharing and keeping your personal data the reason it is being collected what it will be used for what allows its collection, use, sharing and storing how we work out how long it will be kept what countries outside the European Economic Area (EEA) it will be transferred to and the security measures in place what your rights are
Access your personal data	We will allow you access and give you details of the personal data we hold about you including the data covered in your right to be informed above.
Have inaccurate or incomplete personal data corrected	We will correct and/or update your personal data if you inform us or we identify that it is inaccurate or incomplete.
Request erasure	We will delete your personal data if: we no longer need it for the reason(s) we told you you withdraw your consent and this is the only lawful basis (as explained in section 4 of this Privacy Statement) allowing us to collect, use, share and/or keep it you object and we do not have a valid business interest that does not unduly affect you or cause you undue detriment, damage or distress the collection, use, sharing, keeping of it is unlawful we are required by law to do so
Restrict the collection use, sharing and keeping of personal data	We will put on hold the collection, use, sharing and deletion of your personal data when: its accuracy needs to be verified you have objected and we need to consider if our legitimate business interest overrides your request it has been collected, used, shared or kept unlawfully and you have requested that it’s not deleted but want it to be restricted we no longer need it but you request it to establish, exercise or defend a legal claim We will tell you before we remove any restrictions.
Object	You can object to the collection, use, sharing and retention of your personal data where: you feel our legitimate business interest will cause you undue detriment, damage or distress where this is the lawful purpose for collecting, using, sharing or keeping data You do not agree to direct marketing (including profiling)

Complaints

If you have any concerns about how we collect, use, share or keep your personal data, or you think there has been a breach, you can contact us to make a complaint or find out more about our complaints procedure by going to www.skiptonbusinessfinance.co.uk/contact us,

If you do make a complaint we will follow our internal complaints procedure to resolve your complaint quickly and fairly. If we cannot resolve your complaint to meet your expectations, you may contact:

UK Finance 5th Floor
1 Angel Court
30 Throgmorton Street
London
EC2R 7HJ
Telephone 020 7706 3333
Web: www.ukfinance.org.uk

You also have a right to complain to the Information Commissioner’s office if you have any concerns about how we collect, use, share or keep your personal data by contacting them at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Web: www.ico.org.uk

If you require any more details about how we collect, use, share and store your personal data, or about your rights and how to exercise them, please contact us:

Data Protection Dept
Skipton Business Finance
The Bailey
Skipton
North Yorkshire
BD23 1DN