My personal data is data which, by itself or with other data available to you, can be used to identify me. You are Santander UK plc, the data controller. This data protection statement sets out how you’ll use my personal data. I can contact your Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if I have any questions.
Where there are two or more people named on this form, this data protection statement applies to each person separately.
The types of personal data you collect and use
Whether or not I become a customer, you’ll use my personal data for the reasons set out below and if I become a customer you’ll use it to manage the account, policy or service I’ve applied for. You’ll collect most of this directly during the application journey. The sources of personal data collected indirectly are mentioned in this statement. The personal data you use may be about me as a personal or business customer and may include:
Providing my personal data
You’ll tell me if providing some personal data is optional, including if you ask for my consent to process it. In all other cases I must provide my personal data so you can process my application (unless I’m a customer and you already hold my details).
Monitoring of communications
Subject to applicable laws, you’ll monitor and record my calls, emails, text messages, social media messages and other communications in relation to my dealings with you. You’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of your communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when you need to see a record of what’s been said. You may also monitor activities on my account where necessary for these reasons and this is justified by your legitimate interests or your legal obligations.
Using my personal data: the legal basis and purposes
You’ll process my personal data:
As necessary to perform your contract with me for the relevant account, policy or service:
As necessary for your own legitimate interests or those of other persons and organisations, e.g.:
As necessary to comply with a legal obligation, e.g.:
Based on my consent, e.g.:
I’m free at any time to change my mind and withdraw my consent. The consequence might be that you can’t do certain things for me.
Sharing of my personal data
Subject to applicable data protection law you may share my personal data with:
My personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection. Further details can be found in the ‘Using My Personal Data’ booklet.
Where I may have international business needs, you will share information relating to my company, products and accounts, including transactional information, with Banco Santander S.A., Santander group companies and other partner banks who may be based in other countries, to better support the international operations of my company and decide whether to offer my company other products and services.
For more information on who those other Santander group companies or other partner banks are, I can contact my Relationship Team or call you on 0800 731 6666. The data shared will include information on my company’s financial position, its auditable accounts, its directors and shareholders and any information held about the company by Santander, such as information about transactions carried out on my accounts with Santander and information regarding any other products and services that I receive from you. You will do this on the basis of your legitimate interests. If I do not want you to share my data in this manner I can speak to you. Unless I have agreed otherwise, if you believe I may have international business needs you will check whether I have accounts held with other Santander group companies. If there are products or services that you or your group of companies or partner banks think may meet my needs you may tell me about these. I can amend my marketing preferences at any time by contacting you.
Identity verification and fraud prevention checks
The personal data you’ve collected from me at application or at any stage will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify my identity. If fraud is detected, I could be refused certain services, finance or employment in future. You may also search and use your internal records for these purposes. Further details on how my personal data will be used by you and these fraud prevention agencies, and my data protection rights, can be found in the ‘Using My Personal Data’ booklet.
Credit reference checks (for credit applications only, including Business Current Accounts, Business Reserve Accounts and Business Loan Accounts)
If I’ve applied for a credit product then in order to process my application, you’ll perform credit and identity checks on me at my home and business address with one or more credit reference agencies. To do this you’ll supply my personal data to the credit reference agencies and they’ll give you information about me. When you carry out a search at the credit reference agencies they’ll place a footprint on my credit file. A credit search may be: a) a quotation search where a soft footprint is left. This has no effect on my credit score, and lenders are unable to see this; or b) a hard footprint where I’ve agreed/requested Santander to proceed with my application for credit. This footprint will be viewable by other lenders and may affect my ability to get credit elsewhere. You’ll also continue to exchange information about me with credit reference agencies while I have a relationship with you. The credit reference agencies may in turn share my personal information with other organisations. The personal data shared with the credit references will relate to me and my business. Details about my application (whether or not it’s successful) will be recorded and you’ll give details of me, the business and my accounts and how I manage them to credit reference agencies. If I do not repay any debt in full or on time, they’ll record the outstanding debt and supply this information to others performing similar checks, to trace my whereabouts and to recover debts that I owe. Records remain on file for 6 years after they are closed, whether settled by me or defaulted. A financial association link between joint applicants or between myself and any named business partner or individual will be created at the credit reference agencies. This will link our financial records (including records of any previous and subsequent names) and be taken into account in all future applications by either or both of us until either of us apply for a notice of disassociation with the credit reference agencies.
If I am a director you will seek confirmation from the credit reference agencies that the residential address that I provide is the same as that shown on the restricted register of directors’ usual addresses at Companies House.
The identities of the credit reference agencies, and the ways in which they use and share personal information is explained in more detail in the ‘Using My Personal Data’ booklet, or via the Credit Reference Agency Information Notice (CRAIN) document which can be accessed via any of the following links:
My marketing preferences and related searches
You’ll use my home address, phone numbers, email address and social media (e.g. Facebook, Google and message facilities in other platforms) to contact me according to my preferences. I can change my preferences or unsubscribe at any time by contacting you. In the case of social media messages I can manage my social media preferences via that social media platform. If I’m over 18, you may search the files at credit reference agencies before sending marketing communications or doing marketing in-branch to me about credit. The credit reference agencies don’t record this particular search or show it to other lenders and it won’t affect my credit rating. You do this as part of your responsible lending obligations which is within your legitimate interests.
If I have previously told you that I don’t want information on other products and services or to be included in market research, you’ll continue to respect my wishes.
Automated decision making and processing
Automated decision making involves processing my personal data without human intervention to evaluate my personal situation such as my economic position, personal preferences, interests or behaviour, for instance in relation to transactions on my accounts, my payments to other providers, and triggers and events such as account opening anniversaries and maturity dates. You may do this to decide what marketing communications and marketing in-branch is suitable for me, to analyse statistics and assess lending and insurance risks. All this activity is on the basis of your legitimate interests, to protect your business, and to develop and improve your products and services, except as follows; when you do automated decision making including profiling activity to assess lending and insurance risks, this will be performed on the basis of it being necessary to perform the contract with me or to take steps to enter into that contract. Further details can be found in the ‘Using My Personal Data’ booklet.
Other information about me as a business customer
You may also hold all the information I give to you (i.e. name, address, date of birth, nationality) in order to undertake periodic due diligence checks which banks are required to undertake to comply with UK legislation.
Criteria used to determine retention periods (whether or not I become a customer)
The following criteria are used to determine data retention periods for my personal data:
Retention in case of queries. You’ll retain my personal data as long as necessary to deal with my queries (e.g. if my application is unsuccessful);
Retention in case of claims. You’ll retain my personal data for as long as I might legally bring claims against you; and
Retention in accordance with legal and regulatory requirements. You’ll retain my personal data after my account, policy or service has been closed or has otherwise come to an end based on your legal and regulatory requirements.
My rights under applicable data protection law
My rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):
The right to be informed about your processing of my personal data;
The right to have my personal data corrected if it’s inaccurate and to have incomplete personal data completed;
The right to object to processing of my personal data;
The right to restrict processing of my personal data;
The right to have my personal data erased (the “right to be forgotten”);
The right to request access to my personal data and information about how you process it;
The right to move, copy or transfer my personal data (“data portability”); and
Rights in relation to automated decision making including profiling.
I have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: ico.org.uk
For more details on all the above I can contact your DPO or request the ‘Using My Personal Data’ booklet by asking for a copy in branch or online at santander.co.uk
Data anonymisation and aggregation
My personal data may be converted into statistical or aggregated data which can’t be used to identify me, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.
For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet.