How we use your personal information

Introduction

Shawbrook Bank Limited (the Bank, we, us and our) is committed to protecting your privacy. This notice sets out the personal information that we may collect or obtain about you and how we treat that information.

For the purposes of applicable data protection legislation, we are a data controller in respect of the information that we collect or obtain about you. This is because the Bank is the person who (either acting alone or jointly with others) determines why and how your personal information is processed.

Please contact our Data Protection Officer on 01277 751110, or by writing to them at Shawbrook Bank Limited, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE, if you have any queries about this privacy notice or if you wish to exercise any of your rights in respect of data protection (as detailed below).  

The information we process about you

Your personal information will be collected or obtained by us whether we deal with you as an individual or on behalf of an individual, business, charity, trust or other organisation that you represent. Broadly, personal information (or 'personal data') is any information that can identify you as an individual. We process many different types of personal information (for example, your name, address and date of birth). We may process personal data relating to criminal convictions and offences if we have your consent to do so or for fraud prevention purposes.

We may also process 'special categories' of personal information (for example, information relating to your health) when you have given us your explicit consent to do so. Note that if you provide us with documents that contain, or otherwise volunteer to us, data that constitutes a special category of personal information, then you will be regarded as giving your explicit consent to us processing that data as described in this privacy notice. We will always seek to confirm with you that this is the case. If you do not consent to us processing special categories of personal information about you, then that may limit what we are able to do for you. Note that we process this information so that we can treat you fairly and according to your needs. 

If you have made an application on behalf of another individual, a joint application with another individual, or an application on behalf of a business, charity, trust or other organisation and have provided us with personal information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), or if you have provided us with personal information in relation to any guarantor, provider of security, donor or lender of any deposit monies or any occupier of any security property, then this privacy notice will also apply to the information that we collect or obtain about those individuals. You must provide a copy of this notice to those individuals as soon as possible and obtain their confirmation that they have read and understood it. 

 

Why we process your personal information

We process your personal information for a variety of reasons, upon different legal bases, depending on the reason for which we have collected or obtained your personal information. The main types of processing that we carry out and the legal basis for doing so are as follows:

  • We process your personal information in order to consider and process your application for, or enquiry regarding, our credit and/or savings products. This is necessary in order to take steps at your request before we enter into an agreement with you and is also necessary for our legitimate interests (i.e. in deciding whether or not we can offer you the product you have applied for). This type of processing is required in order for you to enter into an agreement with us. If you do not provide it then we cannot proceed with your application. In respect of fraud searches and identity verification, this processing is necessary for our legitimate interests (i.e. fraud prevention) and compliance with our legal obligations.
  • If your application is accepted we will process your personal information in order to administer your account in a number of ways. This will include, for example, collecting loan repayments; providing you with account statements, notices, and other information such as changes to your interest rate; managing any arrears on your account; enforcing any security that we have in place; and dealing with any queries or complaints that you may have. This type of processing is necessary for the performance of our contract with you and in order to fulfil our legal obligations. 
  • We will also process your personal information to manage our business operations, for example, our internal governance functions, which will include monitoring communications and activities in relation to your account (see further detail in relation to monitoring communications below), and for accounting and audit purposes. We have legitimate interests in doing so (i.e. it is necessary for our business and compliance purposes) and we may also have legal obligations to fulfil. 
  • If your application is declined we will store your personal information in accordance with our record retention procedures and to comply with our legal obligations.
  • If we are considering acquiring your credit agreement with another lender from that other lender (for example, if we buy a portfolio of credit agreements and your credit agreement is included within that portfolio), we will process your personal information for the purposes of undertaking due diligence in regard to that acquisition. This is necessary for our legitimate business interests (i.e. in deciding whether or not we wish to proceed with the acquisition). 
  • If we are dealing with a request you have made in order to exercise your legal and regulatory rights (including those referred to in the ‘Your rights under applicable data protection law’) below, this will be done in order to fulfil our legal obligation to respond to you.
  • We process your personal information for marketing purposes. This is necessary in order to fulfil our legitimate interests of providing you with information about products and services that you may be interested in.
  • We may process your personal information for the purposes of performing statistical analysis and conducting market research. This is necessary in order to fulfil our legitimate interests (i.e. to enable us to better understand our customer base and the markets in which we operate, or may wish to operate). 
  • The personal information that we process when you are browsing our website (such as your IP address) is done so on the basis that we have legitimate interests in doing so (for example, to enable us to tailor the advertisements that we display to you on our website) or that you have given your consent to this by accessing and browsing the website.
  • If you are a guarantor or provider of security, we will process your personal information in order to check that we are able to accept that guarantee or security, and/or to enforce that guarantee or security. This is necessary in order to fulfil our legitimate interests (i.e. to ensure that we are able to recover any sums that we have advanced to our customer should that customer not keep up with their payments to us). 
  • If you are a donor or lender of deposit monies, or an occupier of any security property, we will process your data in order to ensure that there is no conflict between your rights and our rights in respect of the relevant security property. This is necessary in order to fulfil our legitimate interests (i.e. to ensure that we are able to enforce our rights in respect of the security property should our customer not keep up with their repayments to us).

Any consent that you give us will be as easy to withdraw as it was to give. Withdrawing your consent does not affect the lawfulness of any processing which occurred prior to the withdrawal of consent. If you do this, and if there is no alternative legal basis upon which we may process your personal information for a particular purpose, then this may affect what we can do for you.

 

Who your personal information may be shared with

We may share your personal information with the following third parties:

  • Anyone acting on your behalf with authority to do so, such as a debt charity, power of attorney or your professional advisors.
  • Credit reference agencies (CRAs) and fraud prevention agencies in order to perform credit and fraud searches and to verify your identity. This type of processing is necessary for our legitimate interests (i.e. fraud prevention) and compliance with our legal obligations. 
  • Legal and regulatory bodies, such as the Financial Conduct Authority, the Prudential Regulation Authority, HMRC, the Information Commissioner's Office (ICO), the Financial Ombudsman Service (FOS), fraud prevention agencies, our professional advisors and/or the courts when it is necessary for our legitimate interests (e.g. to obtain legal advice or for fraud prevention purposes) and/or when we have a legal obligation to do so. 
  • Organisations that provide us with business support services. For example, account service and administration companies, back-up and server hosting, IT software and maintenance and platforms, document storage and management services, receivers, repossession agents, recoveries agents and property valuers. This processing is undertaken as it is necessary for the performance of our agreement with you and is necessary for our legitimate interests (i.e. for our commercial operations).
  • Other companies within the Shawbrook Group for the purposes of enabling our parent entities to exercise oversight of our business. This processing is necessary for our legitimate interests (e.g. to enable our parent entities to manage us effectively) and may also be necessary to enable us to fulfil our legal obligations (e.g. to enable us to comply with our corporate governance requirements). We may also share your personal information with Shawbrook Group companies so that they can provide you with relevant products and services. This type of processing is necessary to enable us to take steps at your request prior to you entering into a contract with a company within the Shawbrook Group. 
  • Third parties who have introduced you to us (e.g. an intermediary or broker) in order for them to manage their records about you, to ensure that the type of business that they refer to us is appropriate and to help us to resolve any complaint made by you and/or any dispute between you and us. This type of processing is necessary for our legitimate business interests (e.g. to help us to ensure that the intermediary or broker is fulfilling the terms of their contract with us) and in order for us to fulfil our legal obligations (e.g. our complaint-handling obligations). 
  • Market research organisations who we engage to assist us in developing and improving our products and services. This type of processing is necessary for our legitimate interests (e.g. for our commercial operations).
  • Any person or entity that is to provide, or has provided, any security of guarantee (and their professional advisors) in respect of your agreement with us and their professional advisors. This type of processing is necessary for the fulfilment of our contract with you (e.g. to enable us to recover any sums we have advanced under our agreement with you).
  • Any entity (and their professional advisors) that provides funding to us or members of the Shawbrook Group (for example, the Bank of England), any entity that provides us with debt or equity finance and any potential purchasers of any part of our business. This type of processing is necessary for our legitimate interests (e.g. to enable us to fund our business).

As mentioned above, if you voluntarily provide us with special categories of your personal information, this will be regarded as constituting your explicit consent to us processing such information. This includes us sharing that information with third parties as necessary. For example, if you provide information relating to a complaint you have made or any financial difficulties you may be experiencing, then you will be consenting to us sharing that information with our professional advisors, any third party who introduced you to us (e.g. an intermediary or broker), administration companies or the FOS (as is relevant). However, we will always seek to confirm with you that you do, in fact, consent to us processing special categories of your personal information that you have voluntarily provided to us, and to us sharing that information with third parties as necessary. 

 

How we collect and obtain your personal information

We may collect your personal information directly from you a number of ways, including: 

  • when you apply for a savings or credit product on our website (shawbrook.co.uk), through a postal application or direct with one of our employees; 
  • when you provide it on-line or by any other method of communication, for example, on "contact us" forms, or when you provide it through the course of our relationship, for example, if you inform us of a change in your circumstances or if you make a subsequent application to us (for example, an application for another of our products); and
  • technical information, including the Internet Protocol (IP) address used to connect to the internet, may be collected from you when you visit our website.

We may obtain your personal information indirectly from third parties in the following ways:

  • through one of our partner organisations (for example, a credit broker, a supplier of retail, home improvement, motor or holiday ownership goods and services or a provider of investment or wealth management services) on their website, in-store, or if you visit their office or if they visit your home;
  • following an introduction to us by another third party, such as an accountancy firm, law firm or management consultancy;
  • if another person provides your information to us when they apply to obtain a product from us:
    • on your behalf;
    • that is to be held jointly with you;
    • on behalf of a business, charity, trust or other organisation of which you are a director, shareholder, owner, trustee or beneficiary (as applicable); or
    • and have nominated you as a guarantor under our agreement with them, or to provide any other security, or informed us that you are a donor or lender of any deposit monies or occupier of any security property;
  • from fraud prevention agencies, credit reference agencies, Companies House or IntegriCheck (which is publicly available) when we carry out searches for the purposes of processing your application and/or during the course of your relationship with us; or
  • if you have a credit agreement with another lender and we buy it from that lender (for example, if we buy a portfolio of credit agreements and your credit agreement is included within that portfolio).

If you are applying to us through a third party then they should have provided you with their own privacy notice in order to tell you (whether online or in person) how they may process your personal information. They should have also told you that credit reference and fraud prevention agency checks will be performed before we consider your application more fully and that your personal information is being shared with us for the purposes and uses set out in this privacy notice. If the third party did not tell you this, then you should let us know immediately by contacting our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice.

 

Credit reference checks 

In order to process your application, we will perform credit and identity checks on you with one or more CRAs. Where you take banking services from us we may also make periodic searches at CRAs to manage your account with us. 

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s);
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders. 

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN). CRAIN is accessible from each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN document: Callcredit www.callcredit.co.uk/crain; Equifax: www.equifax.co.uk/crain; Experian: www.experian.co.uk/crain/index.html.

 

International transfers of your personal information

Your personal information may be transferred outside the UK and the European Economic Area (EEA) to Jersey and Guernsey, if that is necessary to enable us to take steps at your request prior to you entering into a contract with our subsidiary, Shawbrook International Limited (which has offices in those jurisdictions). The European Commission has made adequacy decisions in respect of both Jersey and Guernsey, ruling that they provide adequate protections for personal information under applicable laws. Should we transfer your personal information to any other territories or countries outside the EEA we will take such steps as are necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK. If we do so you may contact us to obtain a copy of the applicable safeguards.

 

Automated decision making

We may perform automated processing (i.e. processing that is carried out without human intervention) on your personal information, to evaluate certain things about you. In particular, we may do this to analyse or predict (amongst other things) your economic situation, credit history, age, personal preferences, interests or behaviour. This could mean that automated decisions (i.e. decisions that are made without human intervention) are made about you using your personal information. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our lending criteria, the amount we lend, the term of your loan and the interest we charge on your loan will be determined by your credit status.

We may automatically decide that you pose a fraud or money laundering risk as a result of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making; if you want to know more, please contact our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact our Data Protection Officer.

 

Your rights under applicable data protection law 

Your personal information is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice if you wish to do so, or if you have any queries in relation to your rights.

If you seek to exercise your rights we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances. Please be aware that if your request is manifestly unfounded or excessive we may refuse to deal with your request or may charge a reasonable fee for dealing with it.

Right to access

You have the right to access the personal information held about you and to obtain certain prescribed information about how we process it. This is more commonly known as submitting a 'data subject access request'. We may request proof of your identity before sharing such information.
 

Right to rectify your personal information

If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e. corrected).

Right to be forgotten

You may ask us to delete information we hold about you in certain circumstances, this is often referred to as the 'right to be forgotten'. This right is not absolute and only applies in particular circumstances. It may not therefore be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship or are required to retain information to comply with our legal obligations or to exercise or defend legal claims.

Right to restriction of processing

In some cases you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.

Right to object to processing

You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing (including profiling to the extent it relates to direct marketing) and for the purposes of statistical analysis.

Right to data portability

You have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability'. You have the right to this when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means. You should note that this right is different from the right of access (see above) and the types of information you can obtain under the two separate rights may be different.

 

How long your personal information will be stored for

We only keep your personal information for as long as it is necessary to fulfil the purposes for which it is processed (as described above).

In accordance with our retention policy, we will retain your personal information for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account), or when your application has been declined, or when you decide not to proceed with an application or enquiry to us.

Please note that if your personal information is shared with third parties (as detailed above) they may have different retention policies. Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years. Further information in respect of how fraud prevention agencies may hold your personal information can be found at www.shawbrook.co.uk/fair-processing-notice.

 

Keeping your information accurate

We strive to ensure that your personal information is kept up to date and accurate. If any of the personal information you have given to us or third parties changes, such as your contact details, home ownership status, employment status or marital status, please promptly inform us in accordance with the terms and conditions of your agreement with us. 

You will be required to provide us with any changes to your personal information under the agreement you enter into with us if your application for a credit or savings product is accepted. If you fail to do so this will put you in breach of your agreement.

 

How we monitor your communications 

Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.

 

What to do if you have concerns or want to make a complaint

If you have any concerns regarding our use of your information please notify our Data Protection Officer as soon as possible using the contact information set-out in the ‘Introduction’ section of this privacy notice. If we cannot resolve a complaint to your satisfaction you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 113 if the complaint relates to the way your personal information has been handled.

 

Shawbrook Group 

Shawbrook Bank Limited is registered in England and Wales. Registered company number: 00388466. Registered office: Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE.

The companies in the Shawbrook Group are Shawbrook Bank Limited, Shawbrook International Limited, Shawbrook Buildings and Protection Limited, Shawbrook Group PLC and its related parent company entities and funds.


Last updated: 27 June 2018