Data Protection Statement

Introduction
Your personal data is data which by itself or with other data available to us can be used to identify you. We are Santander UK plc, the data controller. This data protection statement sets out how we’ll use your personal data. You can contact our Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if you have any questions.

Where there are two or more people named on this form, this data protection statement applies to each person separately.

The types of personal data we collect and use
Whether or not you become a customer, we’ll use your personal data for the reasons set out below and if you become a customer we’ll use it to manage the account, policy or service you’ve applied for. We’ll collect most of this directly during the application journey. The sources of personal data collected indirectly are mentioned in this statement. The personal data we use may include:

  • Full name and personal details including contact information (e.g. home address and address history, email address, home, work and mobile telephone numbers);
  • Date of birth and/or age (e.g. to make sure that you’re eligible to apply);
  • Financial details (e.g. salary and details of other income, and details of accounts held with other providers);
  • Records of products and services you’ve obtained or applied for, how you use them and the relevant technology used to access or manage them (e.g. mobile phone location data, IP address, MAC address);
  • Information from credit reference or fraud prevention agencies, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources as well as information on any financial associates you may have;
  • Family, lifestyle or social circumstances if relevant to the product or service (e.g. the number of dependants you have);
  • Education and employment details/employment status for this PPI query/complaint, and;
  • Personal data about other named applicants. You must have their authority to provide their personal data to us and share this data protection statement with them beforehand together with details of what you’ve agreed on their behalf.

Providing your personal data
We’ll tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases you must provide your personal data so we can process your query / complaint (unless you’re a customer and we already hold your details).

Monitoring of communications
Subject to applicable laws, we’ll monitor and record your calls, emails, text messages, social media messages and other communications in relation to your dealings with us. We’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when we need to see a record of what’s been said. We may also monitor activities on your account where necessary for these reasons and this is justified by our legitimate interests or our legal obligations.

Using your personal data: the legal basis and purposes
We’ll process your personal data:

1. As necessary to perform our contract with you for the relevant account, policy or service:

a) To take steps at your request prior to entering into it;
b) To decide whether to enter into it;
c) To manage and perform that contract;
d) To update our records; and
e) To trace my whereabouts to contact you about your account and recovering debt.

2. As necessary for our own legitimate interests or those of other persons and organisations, e.g.:

a) For good governance, accounting, and managing and auditing your business operations;
b) To search at credit reference agencies if you’re over 18 and apply for credit;
c) To monitor emails, calls, other communications, and activities on your account;
d) For market research, analysis and developing statistics; and

3. As necessary to comply with a legal obligation, e.g.:

a) When you exercise your rights under data protection law and make requests;
b) For compliance with legal and regulatory requirements and related disclosures;
c) For establishment and defence of legal rights;
d) For activities relating to the prevention, detection and investigation of crime;
e) To verify your identity, make credit, fraud prevention and anti-money laundering checks; and
f) To monitor emails, calls, other communications, and activities on your account.

4. Based on your consent, e.g.:

a) When you request us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf, or otherwise agree to disclosures; and 
b) When we process any special categories of personal data about you at your request (e.g. your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).

You’re free at any time to change your mind and withdraw your consent. The consequence might be that we can’t do certain things for you.  

Sharing of your personal data
Subject to applicable data protection law we may share your personal data with:

  • The Santander group of companies* and associated companies in which we have shareholdings;
  • Sub-contractors and other persons who help us provide our products and services;
  • Companies and other persons providing services to us;
  • Our legal and other professional advisors, including our auditors;
  • Fraud prevention agencies, credit reference agencies, and debt collection agencies when we open your account and periodically during your account or service management;
  • Other organisations who use shared databases for income verification and affordability checks and to manage/collect arrears;
  • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators (e.g. the Prudential Regulation Authority, the Financial Conduct Authority, the Information Commissioner’s Office);
  • Courts, to comply with legal requirements, and for the administration of justice;
  • In an emergency or to otherwise protect your vital interests;
  • To protect the security or integrity of our business operations;
  • To other parties connected with your account e.g. guarantors and other people named on the application including joint account holders who will see your transactions;
  • When we restructure or sell our business or its assets or have a merger or re-organisation;
  • Anyone else where we have your consent or as required by law.

Automated decision making and processing
Automated decision making involves processing your personal data without human intervention to evaluate your personal situation such as your economic position, personal preferences, interests or behaviour, for instance in relation to transactions on your accounts, your payments to other providers, and triggers and events such as account opening anniversaries and maturity dates. We may do this to determine the amount of refunds payable to you and, to analyse statistics. Further details can be found in the ‘Using My Personal Data’ booklet.

Criteria used to determine retention periods (whether or not you become a customer)
The following criteria are used to determine data retention periods for your personal data:

  • Retention in case of queries. We’ll retain your personal data as long as necessary to deal with your queries (e.g. if your application is unsuccessful);
  • Retention in case of claims. We’ll retain your personal data for as long as you might legally bring claims against us; and
  • Retention in accordance with legal and regulatory requirements. We’ll retain your personal data after your account, policy or service has been closed or has otherwise come to an end based on our legal and regulatory requirements.

Your rights under applicable data protection law
Your rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):

  • The right to be informed about our processing of your personal data;
  • The right to have your personal data corrected if it’s inaccurate and to have incomplete personal data completed;
  • The right to object to processing of your personal data;
  • The right to restrict processing of your personal data;
  • The right to have your personal data erased (the “right to be forgotten”);
  • The right to request access to your personal data and information about how we process it;
  • The right to move, copy or transfer your personal data (“data portability”); and
  • Rights in relation to automated decision making including profiling.

You have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection lawico.org.uk.

For more details on all the above you can contact our DPO or request the ‘Using My Personal Data’ booklet by asking for a copy in branch or online at santander.co.uk.

Data anonymisation and aggregation
Your personal data may be converted into statistical or aggregated data which can’t be used to identify you, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.

*Group companies
For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet.