Data Protection Statement

My personal data is data which, by itself or with other data available to you, can be used to identify me. You are Santander UK plc, the data controller. This data protection statement sets out how you’ll use my personal data. I can contact your Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if I have any questions.

Where there are two or more people named on this form, this data protection statement applies to each person separately.

The types of personal data you collect and use
Whether or not I become a customer, you’ll use my personal data for the reasons set out below and if I become a customer you’ll use it to manage the account, policy or service I’ve applied for. You’ll collect most of this directly during the application journey. The sources of personal data collected indirectly are mentioned in this statement. The personal data you use may be about me as a personal or business customer and may include:

  • Full name and personal details including contact information (e.g. home and business address and address history, email address, home, business and mobile telephone numbers);
  • Date of birth and/or age (e.g. to make sure that I’m eligible to apply);
  • Financial details (e.g. salary and details of other income, and details of accounts held with other providers);
  • Records of products and services I’ve obtained or applied for, how I use them and the relevant technology used to access or manage them (e.g. mobile phone location data, IP address, MAC address);
  • Biometric data (e.g. fingerprints and voice recordings for TouchID and voice recognition);
  • Information from credit reference or fraud prevention agencies, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources as well as information on any financial associates I may have;
  • Family, lifestyle or social circumstances if relevant to the product or service (e.g. the number of dependants I have);
  • Education and employment details/employment status for credit and fraud prevention purposes; and
  • Personal data about other named applicants. I must have their authority to provide their personal data to you and must share this data protection statement with them beforehand together with details of what I’ve agreed on their behalf.

Providing my personal data
You’ll tell me if providing some personal data is optional, including if you ask for my consent to process it. In all other cases I must provide my personal data so you can process my application.

Monitoring of communications
Subject to applicable laws, you’ll monitor and record my calls, emails, text messages, social media messages and other communications in relation to my dealings with you. You’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of your communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when you need to see a record of what’s been said. You may also monitor activities on my account where necessary for these reasons and this is justified by your legitimate interests or your legal obligations. 

Using my personal data: the legal basis and purposes
You’ll process my personal data:
As necessary to perform your contract with me for the relevant account, policy or service:

  • To take steps at my request prior to entering into it;
  • To decide whether to enter into it;
  • To manage and perform that contract;
  • To update your records; and
  • To trace my whereabouts to contact me about my account and recovering debt.

As necessary for your own legitimate interests or those of other persons and organisations, e.g.:

  • For good governance, accounting, and managing and auditing your business operations;
  • To search at credit reference agencies if I’m over 18 and apply for credit;
  • To monitor emails, calls, other communications, and activities on my account;
  • For market research, analysis and developing statistics; and
  • To send me marketing communications and for marketing to me in-branch, including automated decision making relating to this.

As necessary to comply with a legal obligation, e.g.:

  • When I exercise my rights under data protection law and make requests;
  • For compliance with legal and regulatory requirements and related disclosures;
  • For establishment and defence of legal rights;
  • For activities relating to the prevention, detection and investigation of crime;
  • To verify my identity, make credit, fraud prevention and anti-money laundering checks; and
  • To monitor emails, calls, other communications, and activities on my account.

Based on my consent, e.g.:

  • When I request you to disclose my personal data to other people or organisations such as a company handling a claim on my behalf, or otherwise agree to disclosures;
  • When you process any special categories of personal data about me at my request (e.g. my racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning my health, sex life or sexual orientation); and
  • To send me marketing communications where you’ve asked for my consent to do so.

I’m free at any time to change my mind and withdraw my consent. The consequence might be that you can’t do certain things for me.

Sharing of my personal data
Subject to applicable data protection law you may share my personal data with:

  • The Santander group of companies* and associated companies in which you have shareholdings;
  • Sub-contractors and other persons who help you provide your products and services;
  • Companies and other persons providing services to you;
  • Your legal and other professional advisors, including your auditors;
  • Fraud prevention agencies, credit reference agencies, and debt collection agencies when you open my account and periodically during my account or service management;
  • Other organisations who use shared databases for income verification and affordability checks and to manage/collect arrears;
  • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators e.g. the Prudential Regulation Authority, the Financial Conduct Authority, the Information Commissioner’s Office);
  • Courts, to comply with legal requirements, and for the administration of justice;
  • In an emergency or to otherwise protect my vital interests;
  • To protect the security or integrity of your business operations;
  • To other parties connected with my account e.g. guarantors and other people named on the application who will see my transactions;
  • When you restructure or sell your business or its assets or have a merger or re-organisation;
  • Market research organisations who help to improve your products or services;
  • Payment systems (e.g. Visa or Mastercard), if you issue cards linked to my account, who may transfer my personal data to others as necessary to operate my account and for regulatory purposes, to process transactions, resolve disputes and for statistical purposes, including sending my personal data overseas; and
  • Anyone else where you have my consent or as required by law.

International transfers
My personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection. Further details can be found in the ‘Using My Personal Data’ booklet.

International corridors
Where I may have international business needs, you will share information relating to my company, products and accounts, including transactional information, with Banco Santander S.A., Santander group companies and other partner banks who may be based in other countries, to better support the international operations of my company and decide whether to offer my company other products and services.
For more information on who those other Santander group companies or other partner banks are, I can contact my Relationship Team or call you on 0800 731 6666. The data shared will include information on my company’s financial position, its auditable accounts, its directors and shareholders and any information held about the company by Santander, such as information about transactions carried out on my accounts with Santander and information regarding any other products and services that I receive from you. You will do this on the basis of your legitimate interests. If I do not want you to share my data in this manner I can speak to you. Unless I have agreed otherwise, if you believe I may have international business needs you will check whether I have accounts held with other Santander group companies. If there are products or services that you or your group of companies or partner banks think may meet my needs you may tell me about these. I can amend my marketing preferences at any time by contacting you. 

Identity verification and fraud prevention checks
The personal data you’ve collected from me at application or at any stage will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify my identity. If fraud is detected, I could be refused certain services, finance or employment in future. You may also search and use your internal records for these purposes. Further details on how my personal data will be used by you and these fraud prevention agencies, and my data protection rights, can be found in the ‘Using My Personal Data’ booklet.

Credit reference checks (for credit applications only, including Business Current Accounts, Business Reserve Accounts and Business Loan Accounts)
If I’ve applied for a credit product then in order to process my application, you’ll perform credit and identity checks on me at my home and business address with one or more credit reference agencies. To do this you’ll supply my personal data to the credit reference agencies and they’ll give you information about me. When you carry out a search at the credit reference agencies they’ll place a footprint on my credit file. A credit search may be: a)  a quotation search where a soft footprint is left. This has no effect on my credit score, and lenders are unable to see this; or b) a hard footprint where I’ve agreed/requested Santander to proceed with my application for credit. This footprint will be viewable by other lenders and may affect my ability to get credit elsewhere. You’ll also continue to exchange information about me with credit reference agencies while I have a relationship with you. The credit reference agencies may in turn share my personal information with other organisations. The personal data shared with the credit references will relate to me and my business. Details about my application (whether or not it’s successful) will be recorded and you’ll give details of me, the business and my accounts and how I manage them to credit reference agencies. If I do not repay any debt in full or on time, they’ll record the outstanding debt and supply this information to others performing similar checks, to trace my whereabouts and to recover debts that I owe. Records remain on file for 6 years after they are closed, whether settled by me or defaulted. A financial association link between joint applicants or between myself and any named business partner or individual will be created at the credit reference agencies. This will link our financial records (including records of any previous and subsequent names) and be taken into account in all future applications by either or both of us until either of us apply for a notice of disassociation with the credit reference agencies.

If I am a director you will seek confirmation from the credit reference agencies that the residential address that I provide is the same as that shown on the restricted register of directors’ usual addresses at Companies House.

The identities of the credit reference agencies, and the ways in which they use and share personal information is explained in more detail in the ‘Using My Personal Data’ booklet, or via the Credit Reference Agency Information Notice (CRAIN) document which can be accessed via any of the following links:

My marketing preferences and related searches
You’ll use my home address, phone numbers, email address and social media (e.g. Facebook, Google and message facilities in other platforms) to contact me according to my preferences. I can change my preferences or unsubscribe at any time by contacting you. In the case of social media messages I can manage my social media preferences via that social media platform. If I’m over 18, you may search the files at credit reference agencies before sending marketing communications or doing marketing in-branch to me about credit. The credit reference agencies don’t record this particular search or show it to other lenders and it won’t affect my credit rating. You do this as part of your responsible lending obligations which is within your legitimate interests.

If I have previously told you that I don’t want information on other products and services or to be included in market research, you’ll continue to respect my wishes.

Automated decision making and processing
Automated decision making involves processing my personal data without human intervention to evaluate my personal situation such as my economic position, personal preferences, interests or behaviour, for instance in relation to transactions on my accounts, my payments to other providers, and triggers and events such as account opening anniversaries and maturity dates. You may do this to decide what marketing communications and marketing in-branch is suitable for me, to analyse statistics and assess lending and insurance risks. All this activity is on the basis of your legitimate interests, to protect your business, and to develop and improve your products and services, except as follows; when you do automated decision making including profiling activity to assess lending and insurance risks, this will be performed on the basis of it being necessary to perform the contract with me or to take steps to enter into that contract. Further details can be found in the ‘Using My Personal Data’ booklet.

Other information about me as a business customer
You may also hold all the information I give to you (i.e. name, address, date of birth, nationality) in order to undertake periodic due diligence checks which banks are required to undertake to comply with UK legislation.

Criteria used to determine retention periods (whether or not I become a customer)
The following criteria are used to determine data retention periods for my personal data:
Retention in case of queries. You’ll retain my personal data as long as necessary to deal with my queries (e.g. if my application is unsuccessful);
Retention in case of claims. You’ll retain my personal data for as long as I might legally bring claims against you; and
Retention in accordance with legal and regulatory requirements. You’ll retain my personal data after my account, policy or service has been closed or has otherwise come to an end based on your legal and regulatory requirements.  

My rights under applicable data protection law
My rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):
The right to be informed about your processing of my personal data;
The right to have my personal data corrected if it’s inaccurate and to have incomplete personal data completed;
The right to object to processing of my personal data;
The right to restrict processing of my personal data;
The right to have my personal data erased (the “right to be forgotten”);
The right to request access to my personal data and information about how you process it;
The right to move, copy or transfer my personal data (“data portability”); and
Rights in relation to automated decision making including profiling.

I have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law:

For more details on all the above I can contact your DPO or request the ‘Using My Personal Data’ booklet by asking for a copy in branch or online at

Data anonymisation and aggregation
My personal data may be converted into statistical or aggregated data which can’t be used to identify me, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.

*Group companies
For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet.

Santander UK plc. Registered Office: 2 Triton Square, Regent's Place, London, NW1 3AN, United Kingdom. Registered Number 2294747. Registered in England and Wales. Telephone 0800 389 7000. Calls may be recorded or monitored. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Financial Services Register number is 106054. You can check this on the Financial Services Register by visiting the FCA’s website Santander and the flame logo are registered trademarks.