Back to Home

How we use your personal information

header symbol

Shawbrook Bank Limited (the Bank, we, us and our) is committed to protecting your privacy. We have produced this notice to explain to you what personal information we have, how we get it and how and why we use that information.

For the purpose of this notice, where we refer to “you” or “your” this will also include (where the context permits, such as intermediaries/brokers) your principals, directors, shareholders, employees, contractors and workers (together your “Key Persons”).

Under data protection laws, we are a controller of personal information that we collect and hold about you. This is because we decide how and why your personal information is used.

If you have made an application on behalf of another individual, a joint application with another individual, or an application on behalf of a business, charity, trust or other organisation and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to them. It is important that they read this notice and we will assume that you have told them that their details will be shared with us and that you have shown them this notice.

Note for Intermediaries

You should not share any Key Persons personal information with us except where you have shown them a copy of this privacy notice and obtained their confirmation that they know you will share it with us for the purposes described (and where you have their consent, where required, for the processing described).

How to contact us

If you want to receive a copy of the information we hold or exercise any of your information rights as explained in this notice you can submit your request here. If you have any concerns or complaints about our use of your information, please use the contact us details on our website.

If we cannot resolve a complaint to your satisfaction you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 113 if the complaint relates to the way we have handled your personal information.

You can contact our Data Protection Officer by email at dataprotectionoffice@shawbrook.co.uk or by writing to them at Shawbrook Bank Limited, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE, if you have any questions about this privacy notice. 

You can download a copy of this page to view or print. 

Click on the links to find out more about how we use your information.

Your information rights

Right to access
You have the right to access the personal information held about you and to obtain certain prescribed information about how we process it. This is commonly known as submitting a 'data subject access request'.

Right to rectify your personal information 
If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information corrected.

Right to erasure
You may ask us to delete information we hold about you in certain circumstances, this is often referred to as the 'right to be forgotten'. This right is not absolute and only applies in particular circumstances. It may not always be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship with you or we are required to retain information to comply with our legal obligations or to exercise or defend legal claims.

Right to restriction of processing
In some cases, you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.

Right to object to processing
You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests or for the purposes of statistical analysis.

Right to object to direct marketing
You may also object to the processing of your personal information for the purposes of direct marketing.

Right to data portability
You have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability'. This only applies to information you have given us and if we are processing your personal information based on consent or contract and the processing is automated.

The information we process about you

  • Identity data including first name, maiden name, last name, username or similar identifier, marital status, title, nationality and date of birth.
  • Contact data including postal addresses, email address and telephone numbers.
  • Financial data including bank account and payment card details and details of your employment, financial position and history.
  • Transaction data including details about payments to and from you and transactions you carry out using our products and services.
  • Identification data including a photo of yourself, passport details, driving licence or other identification documents.
  • Vehicle details where you have used one of our products to acquire a vehicle.
  • Special categories of data such as details about your health or biometric data (created for the purposes of facial recognition as part of the Digital ID Verification described below).
  • Details of any criminal convictions or alleged criminal offences.
  • Information that you provide to us when you contact us by any means, including by telephone, fill in forms on our website, use any of our products or services, or when you submit queries to us we will keep a record of that correspondence and the information that you provide to us in that correspondence
  • Details of the devices you use to access our websites and how you use our websites, please see our Cookie Policy.
  • Profile data including, products and services you use, your interests, marketing and communications data including your preferences in receiving marketing from us, your communication preferences, feedback and survey responses.
  • Publicly available information such as the Electoral Register and details you make public on social media e.g. Facebook/Twitter.

Why we process your personal information

Reason for processing Processing is necessary for:

Considering and processing your application

We need to process your personal data in order to decide whether we can offer you the product you have applied for and to evaluate any security and/or guarantee arrangements relating to a product.

Where you have agreed for us to be able to review your transaction data we will use this data to assess creditworthiness and affordability.

A contract we have with you, or because you have asked us to take specific steps before entering into a contract

Our legitimate interests

Performing credit searches and verifying your identity

We need to carry out credit searches and verify your identity before we can offer you a product or service. 

We also verify your identity as a donor or lender of deposit monies or as occupier of any security property to ensure that there is no conflict in respect of parties’ rights over the relevant security property.

We also need to do this to ensure that we are acting as a responsible lender, including with regards to fraud prevention and identity theft.

Our legal or regulatory obligations

Our legitimate interests

Administering your account

We will use your information to administer your account in several ways which includes:

  • collecting loan repayments.
  • providing you with account statements, notices,
  • providing you with information such as changes to your interest rate.
  • managing any arrears on your account.
  • enforcing any security that we have in place.
  • dealing with any queries or complaints that you may have.

We may also use your information in order to:

  • recover debts due to us and keeping our records updated.

A contract we have with you, or because you have asked us to take specific steps before entering into a contract or our legal or regulatory obligations

Our legitimate interests

Acquiring your credit agreement from another lender.

We will use your information for the following purposes:

  • buying a portfolio of credit agreements where your credit agreement is included within the portfolio.
  • undertaking due diligence regarding the acquisition.
  • deciding whether we wish to proceed with the acquisition or not.

Our legal or regulatory obligations or for our legitimate interests

Responding to your requests to exercise your legal or regulatory rights 

Where you have made a request relating to your legal or regulatory rights, such as those detailed in the “your information rights” section of this notice, we need to process your personal data in order to process and respond to your request.

Our legal or regulatory obligations

Direct marketing
 
To provide you with information about products and services that you may be interested in and to develop our products and services and grow our business.

Our legitimate interests

Performing statistical analysis and conducting market research 

We may analyse your personal data and conduct market research, such as by asking our customers to complete feedback surveys, to help us better understand our customer base and the markets in which we operate or may wish to operate.

Our legitimate interests

Collecting information about how you use our website

See our Cookie Policy for more information.

Our legitimate interests or where we have your consent

Assisting third parties

To assist intermediaries or brokers with their management operations and managing our use of third parties, which includes:

  1. managing records about you.
  2. ensuring the type of business that third parties refer to us is appropriate.
  3. resolving any complaint made by you about a third party and/or any dispute between you and us regarding a third party.

We may also need to process your personal data to ensure that the third party is fulfilling the terms of their contract with us and that we act as a responsible lender.

Our legal or regulatory obligations

Our legitimate interests

Testing, improving and securing our products, services and systems

We may need to process your personal data to ensure the security, efficiency and reliability of our products, services and systems.

Our legal or regulatory obligations or our legitimate interests

Facilitating your entry into our competitions

Where you have entered one of our competitions, we may need to process your personal data to facilitate your entry and administer the prize draw.

A contract we have with you, or because you have asked us to take specific steps before entering into a contract

Facilitating your attendance at an event hosted by us

Where you have registered to attend on our events, we require your personal data to facilitate your attendance.

Our legitimate interests

Making reasonable adjustments to our processes

We may record information relating to your health or personal circumstances where we need to make reasonable adjustments to our processes.

Our legal or regulatory obligations or where we have your explicit consent.

Criminal Conviction and Special Category Data

We will only process personal data relating to criminal convictions or offences and alleged offences where the law permits us to do so e.g. to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption and international sanctions or where we have your consent to do so.

Data protection law defines certain types of information as ‘special category data’. This includes details about your health and medical conditions or biometric data (created for the purposes of facial recognition as part of the Digital ID Verification described below). We will only process special category data where we have obtained your explicit consent to do so or another lawful basis exists, for example, where it is necessary for reasons of substantial public interest, such as to safeguard the economic well-being of individuals, preventing or detecting unlawful acts or preventing fraud. 

Withdrawing Consent

Where we rely on your consent, you have the right to withdraw your consent at any time. Please submit your request here if you wish to do so.

How we collect and obtain your personal information

  • when you apply for a product on our website (shawbrook.co.uk), through a postal application or direct with one of our employees;
  • when you provide it on-line or by any other method of communication, for example, on "contact us" forms, telephone or when you provide it through the course of our relationship, for example, if you inform us of a change in your circumstances or when you take part in our customer surveys;
  • when you use our services;
  • information you make public when you interact with our social media profiles or reference Shawbrook in your communication; and
  • technical information, including the Internet Protocol (IP) address used to connect to the internet, may be collected from you when you visit our website.

We obtain your personal information indirectly from third parties including:

  • information you have asked us (or a third party) to collect for you, for example, information about your accounts or holdings with other companies including transaction information;
  • through one of our partner organisations (for example, a credit broker, a supplier of retail, home improvement, motor or holiday ownership goods and services or a provider of investment or wealth management services) on their website, in-store, or if you visit their office or if they visit your home;
  • comparison websites;
  • following an introduction to us by another third party, such as an accountancy firm, law firm or management consultancy;
  • if another person provides your information to us when they apply to obtain a product from us on your behalf; or that is to be held jointly with you; or on behalf of a business, charity, trust or other organisation of which you are a director, shareholder, owner, trustee or beneficiary (as applicable);
  • from fraud prevention agencies, credit reference agencies, tracing and debt recovery agents, government bodies and agencies, the electoral roll, Companies House and other sources of publicly available information (e.g. sanctions list, media) when we carry out searches for the purposes of processing your application and/or during your relationship with us;
  • if you occupy a property which we hold or propose to hold as security; or
  • if you have a credit agreement with another lender and we buy it from that lender (for example, if we buy a portfolio of credit agreements and your credit agreement is included within that portfolio).

If you are applying to us indirectly through a third party, then they should have provided you with their own privacy notice and you should ask them for a copy if they did not.

Who your personal information may be shared with

  • Shawbrook Bank parent entities for the purposes of enabling our parent entities to exercise oversight of our business.
  • Shawbrook Group companies such as The Mortgage Lender Limited and Bluestone Mortgages Limited.
  • Anyone acting on your behalf with authority to do so, such as a debt charity, power of attorney or your professional advisors.
  • Credit reference agencies (CRAs), fraud prevention agencies and law enforcement agencies.
  • Debt collection agencies to seek to recover any debt owed to us.
  • Price comparison websites where you have been referred to us from that website.
  • Other financial service companies, such as other lenders.
  • Legal and regulatory bodies, such as the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), HMRC, the Information Commissioner's Office (ICO), the UK Financial Services Compensation Scheme (FSCS), the Financial Ombudsman Service (FOS), our professional advisors and/or the courts.
  • Organisations that provide us with business support services. For example, account service and administration companies, back-up and server hosting, IT software and maintenance platforms, document storage and management services, receivers, repossession agents, recoveries agents and property valuers.
  • Our professional advisors such as law firms, accountants, insurers or other professional advisor as required.
  • Third parties who have introduced you to us or are involved in the introduction process (e.g. an intermediary, broker, network or Mortgage Club).
  • Market research organisations who we engage to assist us in developing and improving our products and services.
  • Any person or entity that is to provide, or has provided, any security or guarantee (and their professional advisors) in respect of your agreement with us and their professional advisors.
  • Any entity (and their professional advisors) that provides funding to us or members of the Shawbrook Group (for example, the Bank of England) and any entity that provides us with debt or equity finance.
  • Any purchaser or potential purchaser of any part of our business in the event that the Bank, or part of its assets were to be acquired by a third-party purchaser.
  • Our PR and Communications partners when you enter our prize draws.
  • Payment service providers whose services include money laundering and credit checks.

Please note that our website may contain links to other third-party websites. These websites will not be governed by this notice and we therefore recommend that you read the privacy notices and cookie policies on the other websites you visit.

Credit Reference Agencies (CRAs)

  • Identity and contact data;
  • Information from your credit application;
  • Information about your financial situation and financial history;
  • Public information (including the electoral register);
  • Shared credit details; and
  • Fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s);
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

We will continue to share information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders. 
If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN) which is accessible from each of the three CRAs: 

Fraud Prevention Agencies

We may automatically decide that you pose a fraud or money laundering risk because of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.

Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years. Further information in respect of how fraud prevention agencies may hold your personal information can be found here.

International transfers of your personal information

Should we transfer your personal information to any other territories or countries outside the UK we ensure appropriate safeguards are in place, where required, to maintain the same levels of protection as are needed under data protection laws in the UK.

Automated processing

  • You apply for our products and services, we undertake credit checks to assess creditworthiness and affordability and provide you with a tailored offer based on the results of our assessment;
  • We carry out assessments to help decide if your personal or business accounts may be being used for fraud or other financial crime;
  • We undertake anti-money laundering and sanctions checks; and
  • We verify your identity.

Our automated decisions use profiling which means that we use your personal information to make decisions that can affect the products, services or features we may offer you now or in the future, or the price that we charge you for them. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our lending criteria, the amount we lend, the term of your loan and the interest we charge on your loan will be determined by your credit status.

Digital ID Verification

When a new account is opened or a new individual is added to an account within our savings and personal loan division, if you fail to validate your identity via our electronic identity verification process, you will have the opportunity to verify your identity through our Digital ID Verification, which involves automated decision-making.

This Digital ID Verification involves solely automated decision-making, meaning there is no human involvement in making the decision. This is used to determine whether you pass or fail the Digital ID Verification for the purpose of determining whether you should be granted access to your account despite having initially failed to validate your identity via our electronic identity verification process.

We carry out this automated decision-making in order to comply with our regulatory requirements to detect and prevent crime. The Digital ID Verification is necessary in the circumstances described above to enable us to verify your identity, to protect you against identity theft and detect fraud.

How the Digital ID Verification Works

  • If you fail to validate your identity via our electronic identity verification process, you will be sent a hyperlink to the email address provided when you applied for an account by one of our trusted third party suppliers asking whether you wish to verify your identity via the Digital ID Verification. The link will expire 48 hours after being sent, but you can request a new link following expiry.
  • If you wish to proceed, you will be instructed to upload and submit:
    1. a copy of your driving licence, passport or other acceptable form of ID; and
    2. a photo of yourself.
  • Our trusted third party supplier will then use a specialised software program to:
    1. verify the identification documentation submitted;
    2. compare the name and date of birth recorded in the document with the corresponding information we have on file for you; and
    3. carry out a process of facial recognition, which involves comparing the photo of yourself that you submit with the photo in your identification documentation (in simple terms, this is done by taking a number of data points on the photographs and comparing them to check they're the same).
  • The Digital ID Verification has predefined parameters and will automatically determine whether you pass or fail the Digital ID Verification.

On completion of the Digital ID Verification, we may still need to review your application. We generally will let you know the outcome of your application within 5 working days of valid completion of the application and passing identity checks

Reviewing an Automated Decision

You may have rights over automated decisions depending on the lawful basis upon which we process your information.

  • You can ask that we do not make our decision based on output of the automated process alone.
  • You can object to an automated decision and ask that a person reviews it.

For more information or to exercise these rights please submit your request here.

How long your personal information will be stored for

To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. In some circumstances, we may anonymise your personal data so that it can no longer be associated with you.

Keeping your information secure

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

For more information about how you can also protect yourself please read our Customer Security page.

Keeping your information accurate

You will be required to provide us with any changes to your personal information under the agreement you enter into with us if your application for a credit or savings product is accepted. If you fail to do so this will put you in breach of your agreement.

How we monitor your communications

Changes to our Privacy Notice

Shawbrook Group

Shawbrook Bank Limited is registered in England. Registered company number: 00388466. Registered office: Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE.

The companies in the Shawbrook Group are Shawbrook Bank Limited, Shawbrook Buildings and Protection Limited, Shawbrook Group PLC, The Mortgage Lender Limited, Bluestone Mortgages Limited and its related parent company entities and funds.

Last Updated September 2024