Fair Processing Notice
We're committed to processing your personal data fairly and lawfully
When you bank or work with us, we collect, store and process data about you.
Our Fair Processing Notice, also sometimes known as a Privacy Notice, explains, amongst other things, what data we collect, why we collect it, what we do with it and, importantly, it explains your rights to your data.
- We’ll only process your data where we have a lawful basis and it is fair to do so.
- We’ll only process your data for the purpose we have told you that we will do so.
- We’ll only process the minimum data that is necessary and won’t collect anything that is not necessary.
- We’ll make sure that the data we have about you is accurate and kept up-to-date.
- We won’t keep your data any longer than is necessary.
- We’ll take responsibility for the data we hold about you and we’ll keep it secure.
We’re committed to being transparent about how we process your data so, here’s a link to our full Fair Processing Notice (Privacy Notice) – and it explains everything you need to know. Have a thorough read through to find out more about how we process your data and your rights.
Our data protection officer is Scott Southgate.
You can:
- write to him at Data Protection Officer, Hampshire Trust Bank Plc, 80 Fenchurch Street, London EC3M 4BY
- or email him at [email protected].
About this Fair Processing Notice
- Who we are
- How to contact our data protection officer
- What kinds of personal data we collect and hold about you and where we get it from
- Why we collect your personal data and what we use it for
- The legal basis upon which we collect, process and store your personal data
- Where your personal data is stored and processed
- Who we share your personal data with, what personal data we share and why we do so
- How long we will store your personal data
- Your rights to your personal data and, in particular:
- your right of access to your personal data
- your right of rectification to your personal data
- your right of erasure of your personal data (also known as the right to be forgotten)
- your right to have processing of your personal data restricted
- your right to object to the processing of your personal data
- your right to data portability
- your right not be subject to automated decision making and profiling
- your right to complain to The Information Commissioner
- Important information for children
Note: You have the right to object to us processing your personal data – please see section 9(e) below
Who we are
We are the HTB Group of companies, comprising Hampshire Trust Bank Plc and Wesleyan Bank Limited. Hampshire Trust Bank plc and Wesleyan Bank Limited are registered in England and Wales under company number 01311315 and 2839202 respectively and we have our registered offices at 80 Fenchurch Street, London EC3M 4BY.
We are the data controller for information that you provide to us and of information that we hold about you from third parties.
How to contact our data protection officer
You can contact our data protection officer in one of the following ways:
- by writing to our data protection officer at Data Protection Officer HTB Group 80 Fenchurch Street, London EC3M 4BY
- by sending an e-mail to our data protection officer at [email protected]
What kinds of personal data we collect and hold and where we get it from
We will collect and process the following categories of personal data:
- Identification information such as name, address, date of birth, nationality and other information from passports, driving licence and other identity documents
- Contact information such as address, telephone numbers and e-mail addresses and contact preferences
- Financial and credit information such as your credit history, credit scores, transaction and payments history, your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, credit and borrowing history and needs and goals, tax status
- Bank account information such as account number and sort code
- Background information such as information about your education, employment and business
credentials and information as well as information about your family, lifestyle and social circumstances - Product and service information such as the products and services applied for, how the products and services have been provided and managed and the operation of your account or agreement such as account balance, payments, interest rate and withdrawals or payments;
- Visual images and personal appearance (such as photos, copies of passports or CCTV images) and voice recordings
- Property information (where we are providing property funding) such details of the property, its use, location, valuation, insurance, housing certification ratings and tenancy information (if tenanted)
- Vehicle and asset information (where we are funding vehicles and assets) including details of the vehicle or asset, its use, location, valuation, insurance and emissions data
- Information about your professional advisers and representatives such as who they are and the capacity in which they act for you
- Online profile and social media information and activity, based on your interaction with us and our websites and applications, such as your banking profile and login information, Internet Protocol (IP) address, smart device information, location coordinates, online and mobile banking security authentication, mobile phone network information, searches and site visits
- References and opinions such as references about you or your views and opinions on us, our products and services
- Special Category Data - We may process the following types of special category data for specific and limited purposes, such as to make our services accessible to customers or for reporting of complaints for regulatory purposes, or where it is in the wider public interest (for example, to ensure good customer outcomes for vulnerable customers, protect customers’ economic wellbeing or to prevent and detect unlawful acts, fraud and financial crime). We will only process special categories of information where we’ve obtained your explicit consent or are otherwise lawfully permitted to do so. This may include information revealing:
-
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Biometric data
- Information concerning health
- Data concerning a person’s sex life and sexual orientation
-
Apart from information concerning health which is necessary for us to process in order for us to meet our obligations to provide good customer outcomes to vulnerable customers, we don’t aim to collect special category data and it usually only comes into our possession because it is incidental to other information provided to us or can be inferred from information provided to us.
Criminal Offence Data - Where permitted by law, we may process information about criminal convictions, criminal offences, related security details, alleged offences including unproven allegations, spent or previous convictions, or other details provided in relation to a criminal reference check or similar.
We obtain personal data from a number of sources, including:
- Directly from you
- From third parties acting on your behalf such as employees, family members, brokers, valuers, solicitors and other professional advisers
- From third parties acting for us such as valuers, solicitors and other professional advisers
- From third parties such as credit reference, fraud prevention, law enforcement or government agencies
- Industry and trade bodies
- Other banks
- Information that we gather from publicly available sources, such as Companies House, HM Land Registry, the press, the electoral register, online search engines and information that you make public on social media
- Information we learn about you through our relationship, the way you operate your account, the way you interact with us, use our website and technology to access our products and services.
Why we collect your personal data and what we use it for
We collect and process your personal data so that we can:
- Identify and verify our customers
- Contact our customers
- Provide our products and services, manage them effectively and provide good customer outcomes
so that we can market our products and services - Maintain and improve the quality of our products and services
- Fulfil our legal and regulatory obligations
- Manage our risk
- Enforce, protect and defend our legal rights
- Recover our assets and recover amounts owing to us
- Protect the interests and wellbeing of our customers and staff
The legal basis upon which we collect, process and store your personal data
We will only process personal data where we have a lawful basis to do so. The lawful bases that do so are one of the following:
- We have a legitimate interest to do so
- We have your consent to do so
- To fulfil or comply with our obligations under a contract we have with you or where this is for your benefit
- To make a legal claim or to defend a legal claim
- To protect your vital interests.
We explain this further below.
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the legitimate interests condition for personal data processing.
As explained above, we only collect, use and store the minimum amount of personal data that is necessary for us achieve the purposes explained in section 4 (Why we collect your personal data and what we use it for). Accordingly, the primary basis that we collect, use and store you information is because we have a legitimate interest to do so as a regulated bank providing these products and services to our customers.
Our legitimate interests include:
- To act as a prudent and responsible lender and financial institution
- To undertake identity checks, reference checks, credit checks and risk assessments
- To help combat financial crime including tax evasion, bribery, fraud and money-laundering
- To maintain effective technology platforms that underpin our business
- To maintain network and information security
- To meet our legal and regulatory obligations
- To protect and defend our legal rights
- To maintain accurate records including customer preferences
- To enhance, modify and improve our products and services
- For direct marketing (except if we have asked you for your consent and you have not given it to us)
to manage third party relationships - To pursue our commercial objectives as a bank where this does not override your rights and freedoms as a data subject.
When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
If we have asked you for your consent to process your information for marketing purposes and you have not given it to us then we will not process your information for marketing purposes. If we process your personal data for marketing purposes either with your consent or under the soft opt-in principle and you decide that you do not wish to receive marketing from us then we will stop processing your information for marketing purposes at any time you tell us that you no longer wish to receive marketing from us.
We may process some of your personal information on the basis of your consent in some circumstances. Where we do so we will, before we process your information on the basis of your consent, first explain what data we wish to process, why we wish to process that data, how we will process that data and your rights, in particular your right to withdraw your consent, and we will ask you whether you consent to our processing your information in that way.
We may process some of your personal information where this is necessary for us to either fulfil or comply with our obligations to you under a contract we have with you or where this if for your benefit. The particular circumstances will depend on the contract we have and what we have agreed to do in the relevant contract. Examples of this could include where we are providing your information to a payee where we are making a payment on your behalf or dealing with a supplier of equipment we are financing for you or engaging with properly valuers to obtain the valuation necessary for us to finance your property purchase.
We may process your information where this is necessary to establish if we have a legal claim, to make a legal claim or to defend a legal claim and includes, for example, where we take enforcement action under a facility or our security or defend claims by third parties. This will include court proceedings as well as any judicial procedure, including in any administrative or out-of-court procedures and also procedures instigated by regulatory bodies.
We may on very rare occasions process your information where this is necessary to protect your vital interests. This could include, for example, if you attended our premises and had an accident and we needed to call for urgent medical help for you or let people know or where we were concerned that you were suffering a mental health issue which meant you were unable to make your own decisions and we were concerned that your financial interests were in severe and imminent danger.
Where your personal data is stored and processed
We are based in the UK and our staff are based in the UK and most of the day-to-day processing of your personal information takes place in the UK. However, your personal information may be processed by us or one of our appointed suppliers outside of the UK in the following circumstances:
- If you are a foreign national, your personal information may be processed in the relevant country necessary for us to verify your identity, your contact information and address, establish your credit worth and to ensure that you are not a financial crime risk.
- If you have provided us with security for a facility and the security is outside of the UK we will process the relevant information necessary to ensure that our security interests are protected and/or if we have to enforce those rights.
- Where an asset we are acquiring or financing for you is supplied from outside the UK or is taken outside the UK and it is necessary to provide your information in connection with that supply or a recovery.
- We use third party suppliers providing either services, software-as-a-service, cloud based data storage or data processing services where the suppliers themselves or the servers that house that data are located in the European Economic Area.
- Some of our suppliers and some of their suppliers have sub-suppliers in the European Economic Area and in countries outside of the European Economic Area.
- Where we must defend or enforce our legal rights in a country outside of UK, such as recovery from a guarantor resident outside of UK.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, if we do send personal data outside of the European Economic Area we will make sure suitable safeguards are in place in accordance with UK data protection requirements, to protect the data. For example, these safeguards might include:
- Sending the data to a country that’s been approved by the UK authorities as having a suitably high standard of data protection law. Examples include the European Economic Area, Isle of Man, Switzerland and Canada.
- Putting in place a contract with the recipient containing terms approved by the UK authorities as providing a suitable level of protection.
- Carrying out an international transfer risk assessment to assess the risk of transferring the personal data to the relevant country and assessing whether there are additional safeguards that could be put in place to make the transfer more secure.
- Sending the data to an organisation which is a member of a scheme that’s been approved by the UK authorities as providing a suitable level of protection. One example is Binding Corporate Rules.
If your data has been sent abroad like this, you can find out more about the safeguards used from us.
Whenever fraud prevention agencies transfer your personal data outside of the UK / European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK / European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Who we share your personal information with, what personal data we share and why we do so
We do not sell any of your information to third parties, we will not give anyone your information so that they can market to you.
We may share your information with the following types of third parties:
- Official Bodies and Regulators – We may share data with law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory or trade bodies around the world. We may also share information with our regulators in order to meet our regulatory reporting obligations, for example, we share information about you and your account balances with the Bank of England’s for the purposes of protecting deposits under the Financial Services Compensation Scheme. We will only share the information about you with our regulators that is necessary to meet our legal and regulatory obligations.
- Credit Reference and Fraud Prevention Agencies - In order to receive credit and financial crime check information about you from credit reference agencies we are required, on a reciprocal basis, to share information about you with those credit reference and fraud prevention agencies.
We will pass your details on to credit reference agencies and fraud prevention agencies and we will receive scores and reports from them. You will receive a copy of the Credit Reference Agency Information Notice when you make an application to us which will explain how the three main credit reference agencies Callcredit, Equifax and Experian each use and share personal data they receive about you and/or your business that is part of or derived from or used in credit activity. You can also download or read it by visiting http://www.experian.co.uk/crain/
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. Please note that fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or financing to you. If you have any questions about this, please contact us on the details provided.
Searches we make with credit reference agencies will leave a ‘footprint’ on your file and we will also provide them with information relating to your performance under your agreement with us. These ‘footprints’ and performance details may be accessed by other financial companies in connection with any applications for credit that you may make to them and may affect your ability to obtain credit with them.
Your application will be assessed using credit reference agency records relating to anyone with whom you have a joint account or similar financial association. Where you make a joint application and such a link does not already exist then one may be created. These links will remain until you file a “notice of disassociation” at the credit reference agencies.
- Identification Checks - We use third party suppliers to help us verify your identity. We will provide them with information about your identity that you have provided to us and they will verify the information from databases that either they hold themselves or from other official sources. For foreign nationals, this may include verifying the information from third parties or records in the relevant country.
- Service Providers and Suppliers - We may, from time to time, employ the services of third parties to help us run and manage our business, provide our products and services to you or to help us meet our regulatory and reporting obligations and it may be necessary to provide them with some of your personal data in order for them to provide us with the required services.
- Technology Suppliers - We also provide your information to suppliers of technology service providers who provide the technology infrastructure necessary to run and manage our business, including for example, suppliers who provide our customer account management platforms, our payments systems, our reporting systems, our broker portals and our data analysis and storage facilities.
- Marketing and Survey Companies - We may use the services of online marketing company to send you e-mails about us and relevant products and services we offer. To enable them to send you the e-mails, we provide them with your name and e-mail address and details of the relevant products and services. If you have told us that you do not wish to receive marketing information from us by e-mail then we will not send them any information about you and you will not receive these emails from them.
We are constantly trying to improve our products and services and we may use the services of an online customer satisfaction survey company to gather your feedback and reviews about us. To enable them to send you the e-mail survey request, we provide them with your name and e-mail address and details of the relevant products and services. If you have told us that you do not wish to receive marketing information from us by e-mail then we will not send them any information about you and you will not receive these emails from them.
- Our Auditors - We may be required to share information about you with our auditors in order to verify to them that you are our customer, that the information in our accounts and the information that we share with our regulators is accurate.
- Other banks or financial institutions - We may transfer or assign our rights in your account or facility to another bank or financial institution and in that case we may provide them with your information. It may also be necessary to share information in order to facilitate payments.
- Professional Advisers - We use professional advisers, such as solicitors, valuers, quantity surveyors, insurance advisers to help us provide our products and services and to defend and enforce our legal rights and we will provide them with personal information necessary for them to provide their services.
- Collections Agents, Receivers, etc - We will use the services of collections agents and receivers to recover sums of money due to us and/or to recover and sell property or assets that are either owned by us or secured to us.
- Legal obligations - We may be required to provide information about you where we are required to do so to meet a legal obligation, for example, where we are required to do so under a court order.
- Sale / Re-Organisation - We may share data where required for a proposed or actual sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business. Where such data is shared with a third party, it is done so under strict duties of confidentiality.
How long we will store your personal data
We will only use your information for as long as we need it in order to provide you with the products and services you have with us.
As soon as you have closed your account and we have finalised our administrative work to close the account then we will hold your information in secure storage until we are permitted by law and regulation to permanently erase it.
To comply with our current legal, regulatory and financial crime records retention obligations, we will hold your information for a period of:
- six years after your account has been closed;
- six months if you applied for one of our products or services but withdrew your application or were unsuccessful in your application;
These periods will be extended if your information is needed in relation to any civil or criminal proceedings or if we are required to hold it for longer for legal or regulatory reasons or by our regulators, law enforcement agencies or the courts.
Your rights to your personal data
We recognise that your information is your information - it does not belong to us. You have a number of important rights which put you in control of your information. To help you understand your rights, we will explain them below.
a. Your right of access to your personal data
You can ask us at any time to tell you what personal data we hold about you and we will do so, without undue delay, and in any event within one month of receipt of your request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will tell you of any such extension within one month of receipt of your request, together with the reasons for the delay. Where you make the request by electronic form means, we will provide the information by electronic means where possible, unless otherwise requested by you.
We will not charge you any fee for providing this information (unless the request is manifestly unfounded or excessive, in which case we may charge you a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested alternatively we may be entitled to refuse the request). If you request more than one copy of the information then we may charge you a reasonable fee for the administration of producing the additional copies.
We may ask you to provide us with information to verify your identity before providing you with the information requested.
b. Your right of rectification to your personal data
You have the right to have any personal data that we hold about you corrected if it is wrong or completed if it is incomplete. To have it corrected or completed, simply tell us what information is wrong or incomplete and give us the correct and complete information. We will update or complete it without undue delay. We may ask you to provide supporting evidence to verify the information you are giving to us for example, proof of address where you tell us that the address details we hold about you are wrong.
c. Your right of erasure of your personal data (also known as the right to be forgotten)
In some circumstances you have the right to have the personal data that we hold about you permanently erased. You will have this right (1) when it is no longer necessary for us to process your personal data or (2) if there is no legal basis for us to process your personal data or (3) if we unlawfully process your personal data or (4) to comply with a legal obligation to which we are subject. If you believe that any of these circumstances apply to you then please tell us and we will ensure that your personal data is permanently erased without undue delay if one of these circumstances do exist.
Where we permanently erase your personal data we will also take reasonable steps to inform any third parties to whom we have provided your personal data of your request to have the personal data erased.
d. Your right to have processing of your personal data restricted
In some circumstances you have the right to have the processing of your personal data restricted. You will have this right:
- if you tell us that your personal data is inaccurate, for a period enabling us to verify its accuracy; or
- if we are not processing your personal data lawfully and you tell us that you would rather have us restrict the processing than erase it; or
- we no longer need your personal data but you need us to store it because you need it for the establishment, exercise or defence of legal claims; or
- if you have objected to us processing your personal data, for a period enabling us to verify whether the legitimate grounds on which we are processing it override your grounds for objection.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:
- with your consent;
- for the establishment, exercise, or defence of legal claims;
- for the protection of the rights of another natural or legal person;
- for reasons of important public interest.
Only one of these grounds needs to be demonstrated to continue data processing.
We will consider and respond to requests we receive, including assessing the applicability of these exemptions.
We will tell you once a restriction on processing has been applied and before lifting any restriction.
Where we restrict the processing of your personal data we will also take reasonable steps to inform any third parties to whom we have provided your personal data of your request to have the personal data restricted.
e. Your right to object to the processing of your personal data
As explained in this Fair Processing Notice, we process your personal data because we have either a legitimate interest in doing so or another lawful basis to do so as explained in this Fair Processing Notice. However, you have the right object to us processing your personal data, on grounds relating to your particular situation. If you object then we will stop processing your personal data unless we can show compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. For example, where we detect fraud it is unlikely that your objection may prevent us supplying that information to fraud prevention agencies and legal authorities. Another example is that it is unlikely that your objection may prevent us reporting to the regulator in relation to your account even if you object to us processing your personal data.
The only exception to this relates to where you have previously given consent to us (e.g. to market to you) and you change your mind and object to us using your personal data for that purpose. In this case we will without undue delay stop the processing and we will take your objection as a withdrawal of that consent and we will update your preferences.
f. Your right to data portability
New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is unlikely to be a right that will apply to your personal data because we process your personal data primarily on the grounds of legitimate interests however you may check whether we process any of your data on a basis that gives you a right to data portability.
g. Your right to not be subject to automated decision making and profiling
New data protection legislation also contains a right not be subject to a decision based solely on automated processing. We do not make any decisions based solely on automated processing.
h. Your right to complain to the Information Commissioner
If you are not satisfied with the way that we have processed your personal data or the way that we have dealt with you when exercising any of your rights then you may follow our complaints procedure by following this link https://www.htb.co.uk/complaints
You may also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
- Phone on 0303 123 1113
- Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Going to their website at www.ico.org.uk
Important information for children
We do not offer products or services to children – i.e. anyone under the age of 18. However, we may collect and process information about children when it is necessary and/or incidental to the provision of our products and services. Examples of this include where children are beneficial owners of an account or a company which is our customer and in these circumstances we process the child’s personal data to so that we can properly understand who is our customer and meet our combating financial crime obligations.
We will not send marketing information to children.
If you are a child whose personal data we hold then please be aware that this Fair Processing Notice also relates to you and you should read it so that you understand how we process your personal data.
Please note that children have the same rights to their personal data, as explained in this Fair Processing Notice, as an adult.