Shawbrook Bank Limited (the Bank, we, us and our) is committed to protecting your privacy. This notice sets out the personal information that we may collect or obtain about you and how we treat that information.
For the purposes of applicable data protection legislation, we are a data controller in respect of the information that we collect or obtain about you. This is because the Bank is the person who (either acting alone or jointly with others) determines why and how your personal information is processed.
Please contact our Data Protection Officer on 01277 751110, or by writing to them at Shawbrook Bank Limited, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE, if you have any queries about this privacy notice or if you wish to exercise any of your rights in respect of data protection (as detailed below).
Your personal information will be collected or obtained by us whether we deal with you as an individual or on behalf of an individual, business, charity, trust or other organisation that you represent. Broadly, personal information (or 'personal data') is any information that can identify you as an individual. We process many different types of personal information (for example, your name, address and date of birth). We may process personal data relating to criminal convictions and offences if we have your consent to do so or for fraud prevention purposes.
We may also process 'special categories' of personal information (for example, information relating to your health) when you have given us your explicit consent to do so. Note that if you provide us with documents that contain, or otherwise volunteer to us, data that constitutes a special category of personal information, then you will be regarded as giving your explicit consent to us processing that data as described in this privacy notice.
If you have made an application on behalf of another individual, a joint application with another individual, or an application on behalf of a business, charity, trust or other organisation and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to the information that we collect or obtain about those individuals. You must provide a copy of this notice to those individuals as soon as possible and obtain their confirmation that they have read and understood it.
We process your personal information for a variety of reasons, upon different legal bases, depending on the reason for which we have collected or obtained your personal information. The main types of processing that we carry out and the legal basis for doing so are as follows:
Any consent that you give us will be as easy to withdraw as it was to give. Withdrawing your consent does not affect the lawfulness of any processing which occurred prior to the withdrawal of consent. If you do this, and if there is no alternative legal basis upon which we may process your personal information for a particular purpose, then this may affect what we can do for you.
We may share your personal information with the following third parties:
As mentioned above, if you voluntarily provide us with special categories of your personal information, this will be regarded as constituting your explicit consent to us processing such information. This includes us sharing that information with third parties as necessary. For example, if you provide information relating to a complaint you have made or any financial difficulties you may be experiencing, then you will be consenting to us sharing that information with our professional advisors, any third party who introduced you to us (e.g. an intermediary or broker), administration companies or the FOS (as is relevant).
We may collect your personal information directly from you a number of ways, including:
We may obtain your personal information indirectly from third parties in the following ways:
If you are applying to us through a third party then they should have provided you with their own privacy notice in order to tell you (whether online or in person) how they may process your personal information. They should have also told you that credit reference and fraud prevention agency checks will be performed before we consider your application more fully and that your personal information is being shared with us for the purposes and uses set out in this privacy notice. If the third party did not tell you this, then you should let us know immediately by contacting our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice.
In order to process your application, we will perform credit and identity checks on you with one or more CRAs. Where you take banking services from us we may also make periodic searches at CRAs to manage your account with us.
To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN). CRAIN is accessible from each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN document: Callcredit www.callcredit.co.uk/crain; Equifax: www.equifax.co.uk/crain; Experian: www.experian.co.uk/crain/index.html.
Your personal information may be transferred outside the UK and the European Economic Area (EEA) to Jersey and Guernsey, if that is necessary to enable us to take steps at your request prior to you entering into a contract with our subsidiary, Shawbrook International Limited (which has offices in those jurisdictions). The European Commission has made adequacy decisions in respect of both Jersey and Guernsey, ruling that they provide adequate protections for personal information under applicable laws. Should we transfer your personal information to any other territories or countries outside the EEA we will take such steps as are necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK. If we do so you may contact us to obtain a copy of the applicable safeguards.
We may perform automated processing (i.e. processing that is carried out without human intervention) on your personal information, to evaluate certain things about you. In particular, we may do this to analyse or predict (amongst other things) your economic situation, credit history, age, personal preferences, interests or behaviour. This could mean that automated decisions (i.e. decisions that are made without human intervention) are made about you using your personal information. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our lending criteria, the amount we lend, the term of your loan and the interest we charge on your loan will be determined by your credit status.
We may automatically decide that you pose a fraud or money laundering risk as a result of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making; if you want to know more, please contact our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact our Data Protection Officer.
Your personal information is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice if you wish to do so, or if you have any queries in relation to your rights.
If you seek to exercise your rights we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances. Please be aware that if your request is manifestly unfounded or excessive we may refuse to deal with your request or may charge a reasonable fee for dealing with it.
Right to access
You have the right to access the personal information held about you and to obtain certain prescribed information about how we process it. This is more commonly known as submitting a 'data subject access request'. We may request proof of your identity before sharing such information.
Right to rectify your personal information
If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e. corrected).
Right to be forgotten
You may ask us to delete information we hold about you in certain circumstances, this is often referred to as the 'right to be forgotten'. This right is not absolute and only applies in particular circumstances. It may not therefore be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship or are required to retain information to comply with our legal obligations or to exercise or defend legal claims.
Right to restriction of processing
In some cases you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.
Right to object to processing
You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing (including profiling to the extent it relates to direct marketing) and for the purposes of statistical analysis.
Right to data portability
You have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability'. You have the right to this when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means. You should note that this right is different from the right of access (see above) and the types of information you can obtain under the two separate rights may be different.
We only keep your personal information for as long as it is necessary to fulfil the purposes for which it is processed (as described above).
In accordance with our retention policy, we will retain your personal information for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account) or when your application has been declined.
Please note that if your personal information is shared with third parties (as detailed above) they may have different retention policies. Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years. Further information in respect of how fraud prevention agencies may hold your personal information can be found at www.shawbrook.co.uk/fair-processing-notice.
We strive to ensure that your personal information is kept up to date and accurate. If any of the personal information you have given to us or third parties changes, such as your contact details, home ownership status, employment status or marital status, please promptly inform us in accordance with the terms and conditions of your agreement with us.
You will be required to provide us with any changes to your personal information under the agreement you enter into with us if your application for a credit or savings product is accepted. If you fail to do so this will put you in breach of your agreement.
Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.
If you have any concerns regarding our use of your information please notify our Data Protection Officer as soon as possible using the contact information set-out in the ‘Introduction’ section of this privacy notice. If we cannot resolve a complaint to your satisfaction you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 113 if the complaint relates to the way your personal information has been handled.
Shawbrook Bank Limited is registered in England. Registered company number: 00388466. Registered office: Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE.
The companies in the Shawbrook Group are Shawbrook Bank Limited, Shawbrook International Limited, Shawbrook Buildings and Protection Limited, Shawbrook Group PLC and its related parent company entities and funds.