Europe's data protection laws have changed dramatically with the introduction of the General Data Protection Regulation, or GDPR, which came into effect on 25 May 2018.
The purpose of GDPR is to bring together all European data protection laws and update them to be relevant in the digital era. The changes aim to boost the rights of individuals and give everyone more control over their information.
At Santander, we're committed to making sure your personal information is safe, and our processes meet the highest standards of data protection. Below you'll find details of our privacy statement which explains how our website and our Online, Mobile and Telephone Banking services use your information and keep it safe.
What happens after Brexit?
At the same time that GDPR took effect across all EU member states, the UK Government passed the Data Protection Act 2018. This replaced the Data Protection Act 1998 and currently sits alongside GDPR. The Data Protection Act 2018 deals with some of the areas of GDPR where member states were allowed to make their own provisions. It also deals with processing which does not fall within EU law by applying GDPR standards to that processing.
Whilst the UK remains a member of the EU, all the rights and obligations of EU membership, including ensuring compliance with GDPR, remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament, so that standards remain.
We are Santander UK plc, the data controller. You can contact our Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if you have any questions.
This is our Privacy Statement which explains how we obtain, use and keep your personal data safe in relation to the Santander website (santander.co.uk), Santander Online Banking website for Personal, Business and Corporate customers, Santander Investing website (https://www.santander.co.uk/personal/savings-and-investments/investments), Santander Investment Hub website (investmenthub.santander.co.uk).
Your personal data is data which by itself or with other data available to us can be used to identify you.
We're committed to keeping your personal information safe in accordance with applicable data protection laws.
The types of personal data we collect and use
The types of personal data we capture and use will depend on what you are doing on the website. We’ll use your personal data for some or all of the reasons set out in this Privacy Statement. If you become a customer we’ll also use it to manage the account, policy or service you’ve applied for and we’ll provide you with a separate data protection statement specifically in relation to that as part of the online application journey. Some of the information relevant to that is included in this Privacy Statement for consistency. Examples of the personal data we use in relation to our websites may include:
- Full name and personal details including contact information (e.g. home address and address history, email address, home and mobile telephone numbers);
- Date of birth and/or age (e.g. to make sure that you are eligible to apply for a product or service);
- Financial details (e.g. salary and details of other income, and details of accounts held with other providers if you apply for a product or service with us);
- Records of products and services you’ve obtained or applied for, how you use them and the relevant technology used to access or manage them (e.g. mobile phone location data, IP address, MAC address);
- Biometric data (e.g. fingerprints and voice recordings for Touch ID and voice recognition);
- Information from credit reference or fraud prevention agencies, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources as well as information on any financial associates you may have if you apply for a product or service with us;
- Family, lifestyle or social circumstances if relevant to the product or service you apply for (e.g. the number of dependants you have);
- Education and employment details/employment status for credit and fraud prevention purposes if you apply for a product or service with us; and
- Personal data about other named individuals as required. Where you provide the personal data of others you must have their authority to provide their personal data to us and share this Privacy Statement and any related data protection statement with them beforehand together with details of what you’ve agreed on their behalf.
Providing your personal data
We’ll tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, if you fail to provide the requested personal data, we may be unable to process or respond to your application, query or service.
Monitoring of communications
Subject to applicable laws, we’ll monitor and record your calls, emails, text messages, social media messages and other communications in relation to your dealings with us. We’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when we need to see a record of what’s been said. If you take out an account or service with us, we may also monitor activities on your account/service where necessary for these reasons and this is justified by our legitimate interests or our legal obligations.
Using your personal data: the legal basis and purposes
We’ll process my personal data:
1. As necessary to perform your contract with you for the relevant account, policy or service:
a) To take steps at your request prior to entering into it;
b) To decide whether to enter into it;
c) To manage and perform that contract;
d) To update our records; and
e) To trace your whereabouts to contact you about your account and recovering debt.
e) If a 123 Mini Account is opened in trust, you understand that the trustee may have to hold a qualifying account for this account to remain open.
2. As necessary for our own legitimate interests or those of other persons and organisations, e.g.:
a) For good governance, accounting, and managing and auditing our business operations;
b) To search at credit reference agencies at your home and business address (if you are a business customer) if you’re over 18 and apply for credit;
c) To monitor emails, calls, other communications, and activities on your account;
d) For market research, analysis and developing statistics; and
e) To send you marketing communications and for marketing to you in-branch, including automated decision making relating to this.
3. As necessary to comply with a legal obligation, e.g.:
a) When you exercise your rights under data protection law and make requests;
b) For compliance with legal and regulatory requirements and related disclosures;
c) For establishment and defence of legal rights;
d) For activities relating to the prevention, detection and investigation of crime;
e) To verify your identity, make credit, fraud prevention and anti-money laundering checks; and
f) To monitor emails, calls, other communications, and activities on your account.
4. Based on your consent, e.g.:
a)When you request us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf, or otherwise agree to disclosures;
b)When we process any special categories of personal data about you at your request (e.g. your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation); and
c)To send you marketing communications where we’ve asked for your consent to do so.
I’m free at any time to change my mind and withdraw my consent. The consequence might be that you can’t do certain things for me.
Sharing of your personal data
Subject to applicable data protection law we may share your personal data with:
- The Santander group of companies* and associated companies in which we have shareholdings;
- Sub-contractors and other persons who help us provide our products and services;
- Companies and other persons providing services to us;
- Our legal and other professional advisors, including our auditors;
- Fraud prevention agencies, credit reference agencies, and debt collection agencies at account opening and periodically during account or service management;
- Other organisations who use shared databases to do income verification and affordability checks and to manage/collect arrears;
- Law enforcement bodies;
- Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators e.g. the Prudential Regulatory Authority, the Financial Conduct Authority, the Information Commissioner’s Office);
- Courts, to comply with legal requirements, and for the administration of justice;
- The Financial Services Ombudsman;
- In an emergency or to otherwise protect your vital interests;
- To protect the security or integrity of our business operations;
- To other parties connected with your account (e.g. guarantors and other people named on the application); joint account holders will see your transactions;
- When we restructure or sell our business or its assets or have a merger or re-organisation;
- Market research organisations who help to improve our products or services;
- Payment systems (e.g. Visa or MasterCard) if we issue cards linked to your account; they may transfer your personal data to others to process transactions, resolve disputes and for statistical purposes, including by sending your personal data overseas; this is necessary to operate your account and for regulatory purposes; and
- Anyone else where we have your consent or as required by law.
In some instances your personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection. More details can be found in our ‘Using My Personal Data’ booklet (122 KB).
If you apply for an account online, before you enter any personal details into the online form, we'll tell you how your information will be used in our data protection statement relevant to that account, in the ‘Using My Personal Data’ booklet (122 KB) and sometimes in the relevant terms and conditions. You’ll be asked to confirm that you have read these and you’ll be asked to agree to our terms and conditions before your application can proceed.
The data protection statement, in conjunction with the ‘Using My Personal Data’ booklet (122 KB) includes details of the uses we may make of your data, the legal basis we are relying upon to carry out that processing, and who we may share your personal data with. For instance, for credit account applications like loans and bank accounts, we may pass your details to a recognised credit reference agency to help process your application.
We may occasionally send you information about accounts and services which we think would be of interest to you but only where we have your consent or if this is within our legitimate interests (see above for more details about lawful reasons). You can choose to stop receiving information at any time by contacting us.
Contacting us by phone
To help us improve our service we may record or monitor phone calls as explained in the monitoring of communications section as necessary to comply with any legal obligations and for our legitimate interests. View our call charges
Contacting us by email
When you contact us, we may need to collect some personal details like your name, address and phone numbers. Email isn't 100% secure so you shouldn’t send personal data such as your account information using normal email. Please consider another method, such as using chat in Online Banking or calling us, if you need to share personal information.
Emails are stored on our standard internal contact systems which are secure and can't be accessed by external parties. We store this information to identify trends, and for the purposes set out in the monitoring of communications section as necessary to comply with any legal obligations and for our legitimate interests. For more information on the criteria we use to determine our retention periods, see below.
Automated decision making and processing
Automated decision making involves processing your personal data without human intervention to evaluate your personal situation such as your economic position, personal preferences, interests or behaviour, for instance if you have accounts with us, in relation to transactions on your accounts, your payments to other providers, and triggers and events such as account opening anniversaries and maturity dates. We may do this to decide what marketing communications and marketing in-branch is suitable for you, to analyse statistics and assess lending and insurance risks. All this activity is on the basis of our legitimate interests, to protect our business, and to develop and improve our products and services, except as follows; when we do automated decision making including profiling activity to assess lending and insurance risks, this will be performed on the basis of it being necessary to perform the contract with you or to take steps to enter into that contract. Further details can be found in the ‘Using My Personal Data’ booklet (122 KB).
Using our calculators, decision tools, guides and budget planners
To use our range of calculators, tools, guides and budget planners, you'll have to give us details of your financial situation and needs. The information we ask for will depend on what type of product or account you're interested in. By providing any personal data you do so on the basis of your consent. You’re free at any time to withdraw your consent but if you do you won’t be able to use these services.
When you use a calculator, guide, decision tool or budget planner all of the details you provide are anonymous - and once you leave we never store your details, unless, for example, you decide to save a quote.
Using our video services
You can apply for some of our products and services using a video session from your mobile device where you see and hear your Santander adviser in high quality two-way video.
If you use our video services, both the images and the audio will be recorded and may be used for training and monitoring purposes. We’ll use any personal data captured about you for the performance of a contract or/with a view to entering into a contact with us as well as for our legitimate interests for good governance, accounting, managing and auditing our business operations, and to monitor emails, calls, other communications in relation to your dealings with us. Please see the monitoring of communications section for more information and the criteria for retention periods section for more information on the criteria we use to determine our retention periods.
You’re entitled to record your video session only for your own personal use and you should avoid sharing any footage with third parties or posting it on any websites. For your own privacy and protection please ensure that your location doesn't include items and images that you don't wish to be recorded.
Using your personal information for direct marketing
We’ll tell you if we intend to use your information for marketing purposes and we'll give you the opportunity to opt out if you want to (unless we need a consent to use your information for marketing purposes – if we do we’ll seek one). If you receive marketing emails and don't want to in future, please use the unsubscribe link within the email and we’ll remove you from future campaigns.
Surveys and competitions
We'll treat any survey or competition information you provide with the same high standard of care as we do all other customer information, using any details provided strictly within the terms of the competition and this Privacy Statement.
- collect information that will help us understand visitors' browsing habits on our website;
- compile statistical reports on website activity, e.g. number of visitors and the pages they visit;
- temporarily store any information which you may enter in tools, such as calculators or demonstrations on our website; and
- in some cases, remember information about you when you visit our site. We may need to do this to provide some of our services e.g. if you use the 'Remember my ID' tool when logging on to Online Banking.
Criteria used to determine retention periods (whether or not you become a customer)
The following criteria are used to determine data retention periods for your personal data:
- Retention in case of queries. We’ll retain your personal data as long as necessary to deal with your queries (e.g. if your application is unsuccessful) or for a sensible period in order for us to reply to your online query and then deal with queries you raise upon receipt);
- Retention in case of claims. We’ll retain your personal data for as long as you might legally bring claims against us; and
- Retention in accordance with legal and regulatory requirements. We’ll retain your personal data after your account, policy or service has been closed or has otherwise come to an end based on our legal and regulatory requirements.
Your rights under applicable data protection law
Your rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):
- The right to be informed about our processing of your personal data;
- The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- The right to have your personal data erased (the “right to be forgotten”);
- The right to request access to your personal data and information about how we process it;
- The right to move, copy or transfer your personal data (“data portability”); and
- Rights in relation to automated decision making including profiling.
You have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: ico.org.uk
For more details on all the above you can contact our DPO, view the ‘Using My Personal Data' booklet (122 KB) or ask for a copy in branch.
Data anonymisation and aggregation
Your personal data may be converted into statistical or aggregated data which can’t be used to identify you, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.
For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet (122 KB).
Changes to this Privacy Statement
We’ll notify you if there are any material changes to this Privacy Statement if required by applicable law or where we intend to process your personal data for a new purpose before we start that new processing activity.
Legal statement about this Privacy Statement
This Privacy Statement is not designed to form a legally binding contract between Santander and users of our website or online services.
Links to other websites
Certain hypertext links in this website may lead you to websites which are not under the control of Santander UK plc. When you activate these, you may leave the santander.co.uk website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Santander UK plc.
We accept no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. We accept no responsibility or liability for any loss arising from any contract entered into with any website to which a hypertext link exists.
No liability for unavailability
We accept no liability for any loss that may arise if the goods or services advertised within this website become unavailable.
Contacting us about our Privacy Statement
Contact us, or write to our DPO at 201 Grafton Gate East, Milton Keynes, MK9 1AN if you have any questions.
It is your responsibility to ensure that your computer is virus protected. We accept no responsibility for any loss you may suffer as a result of accessing and downloading information from this site.
Easy ways to protect yourself from danger
There are some things you can do to protect your personal information online. It's by no means exhaustive but will help make sure you don't fall foul of Internet fraud:
- Never share a One Time Passcode (OTP) with another person, not even a Santander employee.
- Do not log on using a public computer.
- Always access Online Banking by typing https://www.santander.co.uk into your web browser and logging on via our website.
- Never enter your Online Banking details after clicking on a link in an email or text message
- Do not send confidential information by email as it’s not secure and there is always a risk it could be intercepted.
- If you’re logged into any online service, do not leave your computer unattended. Close down your internet browser once you’ve logged off.
- Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.
For more information about staying safe online you can visit our Fraud and Security page
Secure Online Services
You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.
All information passed between you and Santander when using our online services is sent using secure industry standard encryption.
Send us a tweet
Please don’t tweet your personal
or banking details