How we use your personal information


For the purposes of this privacy notice, the data controller of your personal information is Shawbrook Bank Limited of Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, CM13 3BE (the Bank, we, us and our). This is because it is the person who (either acting alone or jointly with others) determines why and how your personal information is processed. By personal information, we mean information which, either by itself or when combined with other information that we hold or which is available to us, can be used to identify you, your principals, directors, shareholders or anyone employed or engaged by you who may access our online systems. For the purpose of this privacy notice, where we refer to “you” or “your” this will also include (where the context permits) your principals, directors, shareholders, employees, contractors and workers (together your “Key Persons”).

Please contact our Data Protection Officer at Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, CM13 3BE or by telephone on 01277 751 110 if you have any queries about this privacy notice or if you wish to exercise any of the rights mentioned in it.

The categories of personal information about you that we process

Whether or not you become one of our intermediary partners, we will process your personal information to administer the application you have made. The personal information we process in the application stage and if you join our intermediary partner panel may include some or all of the following:

  • Your title, full name, your contact details, including for instance your email address, home and mobile telephone numbers;
  • Your home address and address history, together with information about your occupier status, such as whether you are a tenant, live with parents or are an owner occupier;
  • Your date of birth;
  • Your occupation, job title and employment details;
  • Your passport identification number and driver’s license unique reference number;
  • Your nationality if this is necessary for us to comply with our legal and regulatory requirements;
  • Your insolvency and/or litigation history;
  • Whether you have been charged or convicted of any criminal offences;
  • Personal information about you obtained from third parties such as credit reference or fraud prevention agencies and publicly available sources of information such as the electoral roll and court records of debt judgements and bankruptcies (in addition see ‘Credit Reference Checks’ below);
  • You should not share any Key Persons personal information with us except where you have shown them a copy of this privacy notice and obtained their confirmation that they know you will share it with us for the purposes described (and where you have their consents, as relevant, for the processing described);

We may process personal information relating to criminal charges and convictions if we have your consent to do so.

Depending on how you make your application, we may collect this personal information directly or indirectly. The sources of personal information collected indirectly are mentioned in this privacy notice and if these are from publicly accessible sources we will make this clear.


Updates to your personal information

If any of the personal information you have given to us changes, such as your contact details, please inform us without delay by emailing us at for Commercial Mortgages, for Residential Mortgages and at for Consumer Lending. For Business Finance, please email (for Asset Finance) or contact your relationship director (for Working Capital Solutions). You will provide us with any reasonable information which we may reasonably and properly request.


Whether providing your personal information is required by law or contract/ is obligatory

We are unable to consider your application to join our intermediary partner panel unless we collect your personal information as part of your application and we have to use it in connection with your application.


Monitoring of communications

Subject to applicable laws, we will monitor and record calls, email, text messages, social media messages and other communications. We will do this for compliance with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, and for quality control and staff training purposes.

For example, where we are required by the Financial Conduct Authority regulatory regime to record certain telephone lines (as relevant) we will do so. In addition, where appropriate and having regard to applicable data protection law our monitoring will be to check for obscene or profane content in communications. In very limited and controlled circumstances we may conduct short term carefully controlled monitoring of your activities where this is necessary for our legitimate interests or to comply with a legal obligation.

We may do this for instance where we have reason to believe that fraud or other crime is being committed or where we suspect non-compliance with anti-money laundering regulations to which we are subject.

In particular, telephone calls between us and you in connection with the application and any loan may be recorded for these purposes.


Using and processing your personal information: the legal basis and purposes

The legal basis which relates to our use and other processing of your personal information may include (as relevant):

  1. To the extent you are a sole trader or a partner in a partnership, processing that is necessary for performance of a contract with you (e.g. the intermediary agreement) or to take steps at your request prior to entering into a contract (e.g. the application stage). This includes administering and managing our relationship and the role you undertake in relation to our business and updating our records;
  2. Processing that is necessary for our own legitimate interests or those of third parties (such as members of the Shawbrook Group of companies (see below)) provided these are not overridden by your interests and fundamental rights and freedoms – such as:
    a) For management and audit of our business operations, including accounting;
    b) To search at credit reference agencies;
    c) When we monitor emails, calls and other communications and activities in relation to your role as an intermediary (see above);
    d) To deal with our good governance requirements;
    e) For market research and analysis, developing statistics; and
    f) For our own direct marketing communications which we send to you about our own products and services;
  3. Processing that is necessary to comply with a legal obligation to which we are subject (other than a contractual obligation) – such as:
    a) To process your request for personal information or when you seek to exercise your rights under data protection law;
    b) For compliance with legal and regulatory requirements – in particular we may sometimes need to collect it, use it, or disclose it because of a legal or regulatory responsibility;
    c) For establishment and defence of legal rights;
    d) For activities relating to the prevention, detection and investigation of crime;
    e) To verify your identity;
    f) To perform credit checks, fraud prevention and anti-money laundering checks (see below).
    g) When we monitor emails, calls and other communications and activities in connection with your role as an intermediary (see above)


Sharing your personal information

We may share your personal information with the following parties:

a) Other companies within the Shawbrook Group (further details below);
b) Our legal and professional advisers, such as our auditors and external legal advisors in the event of, for example, sale or restructuring of our business;
c) Third party loan service and administration companies, such as those that undertake the day to day servicing of our business on our behalf as part of an outsourcing arrangement;
d) Other third parties and/or sub-contractors acting on our behalf, such as back up and server hosting providers, our IT software and maintenance providers;
e) Our applicants, customers, guarantors or other third parties involved in an application for finance in which you are involved;
f) Any entity providing funding to us or members of the Shawbrook Group either now or in the future, such as the Bank of England or third-party lenders, and their professional representatives;
g) Purchasers of any part of our business, and their professional representatives;
h) Credit reference agencies (see below);
i) Fraud prevention agencies (see below);
j) Law enforcement agencies and regulatory bodies if necessary such as HMRC, the Financial Conduct Authority and the Information Commissioner’s Office;
k) Courts and as may otherwise be necessary in order to comply with a legal requirement, for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.


International transfers

Your personal information may be transferred outside the UK and the European Economic Area. Whilst some countries already have adequate protections for personal information under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK.

For more information about what are those appropriate safeguards and how to obtain a copy of them or to find out where they have been made available you can contact the Data Protection Officer at Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, CM13 3BE or by telephone on 01277 751 110.


Identity verification and fraud prevention checks

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at


Credit Reference Checks

In order to process your application to join our intermediary panel, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). We may also undertake periodic searches of our own group records and CRAs to manage and monitor our relationship, including whether to retain you on our intermediary panel.

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. We will use this information to:

We will use this information to:

  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering; and
  • Manage our on-going relationship.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at CRAIN is also accessible from each of the other two CRAs – the two following website addresses will also take you to the same CRAIN document: Callcredit; and Experian


Retention periods or criteria used to determine the retention period

We need to keep your personal information for as long as necessary to fulfil the purposes for which it was collected (and those purposes are as described above). This includes retaining it in order to comply with legal and regulatory requirements and in case of claims. If you would like further information about our data retention policy, contact our Data Protection Officer.

The criteria we use to determine data retention periods for your personal information includes:

  • Retention in case of queries. We will retain it in case of queries from you (for instance, if you apply unsuccessfully for membership of our intermediary panel);
  • Retention in case of claims. We will retain certain parts of your personal information for the period in which you might legally bring claims against us; and
  • Retention in accordance with legal and regulatory requirements. We will carefully consider whether we need to retain your personal information after the period described above in case of a legal or regulatory requirement.


Your rights under applicable data protection law

Your personal information is protected under data protection law and you have a number of rights which you can enforce against us as your data controller. You should be aware that these rights do not apply in all circumstances. If you seek to exercise one against us it will at that stage be explained to you whether or not the right does apply to you based on the facts. Your rights are as follows:

  • The right to be informed.
  • To have your personal information corrected if it is inaccurate and to have incomplete personal information completed in certain circumstances.
  • The right in some cases to object to processing of your personal information (as relevant).
  • The right in some cases to restrict processing of your personal information.
  • The right to have your personal information erased in certain circumstances (also known as the “right to be forgotten”).
  • To request access to the personal information held about you and to obtain certain prescribed information about how we process it.
  • To move, copy or transfer certain personal information. Also known as “data portability”.
  • Rights in relation to some automated decision making about you including profiling (as relevant) if this has a legal or other significant effect on you as an individual.
  • The right to complain to the Information Commissioner’s Office who is empowered to investigate whether we are complying with the data protection law. You can do this if you consider that we have infringed it. You can visit its website for more information:

For more information about all of these rights and how to exercise them against us, you can contact our Data Protection Officer.


Data anonymisation and use of aggregated information

Your personal information may be converted into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. It might be used to conduct research and analysis, including to produce statistical research and reports. This aggregated data may be shared in several ways, including with our group companies and for the same reasons as your personal information (see above).


Shawbrook Group

The companies in the Shawbrook Group are Shawbrook Bank Limited, Shawbrook International Limited and Shawbrook Group Plc.


Download PDF

Last updated: 27 June 2018