Your personal data is data which by itself or with other data available to us can be used to identify you. We are Santander UK plc, the data controller. This data protection statement sets out how we’ll use your personal data. You can contact our Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if you have any questions.
Where there are two or more people named on this form, this data protection statement applies to each person separately.
The types of personal data we collect and use
Whether or not you become a customer, we’ll use your personal data for the reasons set out below and if you become a customer we’ll use it to manage the account, policy or service you’ve applied for. We’ll collect most of this directly during the application journey. The sources of personal data collected indirectly are mentioned in this statement. The personal data we use may include:
Providing your personal data
We’ll tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases you must provide your personal data so we can process your query / complaint (unless you’re a customer and we already hold your details).
Monitoring of communications
Subject to applicable laws, we’ll monitor and record your calls, emails, text messages, social media messages and other communications in relation to your dealings with us. We’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when we need to see a record of what’s been said. We may also monitor activities on your account where necessary for these reasons and this is justified by our legitimate interests or our legal obligations.
Using your personal data: the legal basis and purposes
We’ll process your personal data:
1. As necessary to perform our contract with you for the relevant account, policy or service:
a) To take steps at your request prior to entering into it;
b) To decide whether to enter into it;
c) To manage and perform that contract;
d) To update our records; and
e) To trace my whereabouts to contact you about your account and recovering debt.
2. As necessary for our own legitimate interests or those of other persons and organisations, e.g.:
a) For good governance, accounting, and managing and auditing your business operations;
b) To search at credit reference agencies if you’re over 18 and apply for credit;
c) To monitor emails, calls, other communications, and activities on your account;
d) For market research, analysis and developing statistics; and
3. As necessary to comply with a legal obligation, e.g.:
a) When you exercise your rights under data protection law and make requests;
b) For compliance with legal and regulatory requirements and related disclosures;
c) For establishment and defence of legal rights;
d) For activities relating to the prevention, detection and investigation of crime;
e) To verify your identity, make credit, fraud prevention and anti-money laundering checks; and
f) To monitor emails, calls, other communications, and activities on your account.
4. Based on your consent, e.g.:
a) When you request us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf, or otherwise agree to disclosures; and
b) When we process any special categories of personal data about you at your request (e.g. your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).
You’re free at any time to change your mind and withdraw your consent. The consequence might be that we can’t do certain things for you.
Sharing of your personal data
Subject to applicable data protection law we may share your personal data with:
Automated decision making and processing
Automated decision making involves processing your personal data without human intervention to evaluate your personal situation such as your economic position, personal preferences, interests or behaviour, for instance in relation to transactions on your accounts, your payments to other providers, and triggers and events such as account opening anniversaries and maturity dates. We may do this to determine the amount of refunds payable to you and, to analyse statistics. Further details can be found in the ‘Using My Personal Data’ booklet.
Criteria used to determine retention periods (whether or not you become a customer)
The following criteria are used to determine data retention periods for your personal data:
Your rights under applicable data protection law
Your rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):
You have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: ico.org.uk.
For more details on all the above you can contact our DPO or request the ‘Using My Personal Data’ booklet by asking for a copy in branch or online at santander.co.uk.
Data anonymisation and aggregation
Your personal data may be converted into statistical or aggregated data which can’t be used to identify you, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.
For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet.