Welcome to YBS Share Plans

An organisation that decides how the personal data it collects and holds is used is called a ‘data controller’. We call this use of personal data ‘processing’ – this includes the collection, storage, analysis, sharing, retention and disposal of personal data. We will be the data controller.

As a Data Controller, we are registered with the Information Commissioner's Office (ICO) - the organisation in the UK that oversees that an organisation is acting accordingly when processing personal data. Our registration numbers are:

Z9006086
Z5217596

YBS provides share plan trustee and administration services, including deposit taking, all of which are subject to English law, with deposit taking being regulated by the Financial Conduct Authority. The provision of share plan trustee and administration services is not regulated by the Financial Conduct Authority. We are not responsible for share plan deposits held by local savings carriers outside the UK. This notice applies to all of the following services:

Sharesave (UK SAYE)
Global Sharesave
Sharesave – Republic of Ireland (Irish SAYE)

The table below shows our role for each type of service.

	Administrator	Trustee	Deposit taker
Sharesave (UK and Irish)	✔	✘	✔
Global Sharesave - deposit	✔	✘	✔
Global Sharesave - managed*	✔	✘	✘
Deposit taking only (UK SAYE and Irish SAYE)**	✘	✘	✔

* If you don’t pay money to YBS each month and just receive documents/e-forms from us, this will be you.

** You will likely be included in this scheme if another provider has provided an administration portal and/or sends you share plan documents since the start of your savings contract.

In order that we can provide you with a high quality service and, where applicable, enter into a relationship with you, we will need to obtain and use personal data about you. Without this, we may not be able to provide you with one of our services or deal with your queries effectively.

We require personal data in order to verify/validate you and for security purposes. If you do not provide us with this, we may not be able to provide you with services or communicate with you effectively. Some of our terms and conditions require you to provide us with personal data, such as informing us of a change of address so that we can provide you with statutory information relating to your account.

We collect and use a variety of personal data to run our business and manage our relationship with you. The table below shows the typical categories of personal data we ask you for and why we may ask for it. You will find more specific information in the ‘How do we use your personal data?’ section:

What will we collect?	How we may use it
Bank details (including IBAN and Swift Code)	We use your these details to make any payments due to you.
Call recordings	It is important that we provide the best possible service to you. This might mean that we log and record calls you make to us to resolve any discrepancies or issues that inevitably crop up from time to time. We may also record calls for training and monitoring purposes, including meeting our legal obligations.
CREST ID/Nominee identifier	We use your CREST ID to arrange the transfer of shares from the Corporate Sponsored Nominee account to your individual Nominee account.
Date of birth and/or age	We will use this to identify and verify (validate) you.
Direct marketing preferences	We may ask you if you wish to receive notifications from us about our services that may be of interest to you. We will only do this where we have your explicit consent and will only contact you by methods you have chosen (e.g. post, phone, text, email).
Driving licence, passport or other identification	When requesting changes to personal data e.g. name, address, we use this to verify your identity in accordance with our internal procedures.
Email address and phone number	We use your email address and phone number to: Contact you about your account(s) Notify you about changes to our services Issue statements or other share scheme documentation to you Send you marketing information (where you have consented) Enable you to register for online services Enable you to register your interests for new product or service updates that we may offer.
Employment details	For certain services, we may collect details of your employment, including your start date, employment location, employment status i.e. leaver details and date, and employee ID, so that we can verify (validate) you, check your eligibility for one or more of our services and to manage your account effectively.
Gender	Sometimes, it will be necessary for us to use your gender in order to: Identify and verify you for reporting purposes (e.g. demographics and statistics)
How you interact with us	We may record how you interact with us currently or in the past in order to give you the best service and prevent fraud. This can include whether you have carried out a transaction over the phone or over the internet for example.
Name(s), title, address, previous addresses, gender	We use this: To identify and verify (validate) you To manage and administer your accounts and relationship with us Contact you about your account(s) Notify you about changes to our services Issue statements or other share scheme documentation to you Send you marketing information (where you have consented) To meet our legal and regulatory obligations To allow EBT providers and nominees to comply with financial crime regulations (name).
National insurance number	We use this to verify (validate) your identity and to allow Brokers to comply with stock market reporting obligations.
Nationality and national identifier data	We use this to allow Brokers to comply with stock market reporting obligations and, for nationality, to meet our legal and regulatory obligations.
Place of birth	We may collect details on your place of birth in order to authenticate and verify you when you contact us and to prevent fraud.
Tax status	Where applicable, we will use this for identifying your tax status. If you are a tax resident overseas or a US citizen, you are required to complete a declaration and we are obliged to report the information relating to you and your account(s) to HM Revenue and Customs (HMRC). HMRC may share the information with the relevant tax authorities.

From time to time, we may need to ask for personal data that might seem sensitive. This is known as ‘special category data’. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. This could include information on:

race or ethnicity
health, including any medical condition, health and sickness or vulnerability

Depending on the service(s) we provide to you, we obtain your personal data in the following ways:

Service	Who from?	Details
Sharesave (UK and Irish) Global Sharesave - Deposit Global Sharesave - Managed	Directly from you	We obtain personal data directly from you: When you apply for our services online or on the phone. When you register to allow you to use online services. When you update your information (such as when you change your address). When you speak to us on the phone (we may record some calls for training and quality purposes). When using our websites, online web chat services and any digital or mobile app we may offer now or in the future. When you send letters, emails or other documents to us. When we use information that you’ve made public such as tweets or social media content too (e.g. when you interact with our social media profiles, on Twitter, or referenceYorkshire Building Society or Share Plans in a ‘tweet’).
UK SAYE Global Sharesave - Deposit Global Sharesave - Managed Deposit taking only (UK SAYE and Irish SAYE)	From a third party acting on your behalf	We obtain personal data relating to you from third parties to invite you to join a scheme and to enable us to provide our services to you. This can include: Your employer Your personal representatives. Your share plans administrator (UK and Irish SAYE deposit taking only) Another share plan administrator (all SAYE except deposit taking only and managed) Your Local Co-Ordinator (for Global Sharesave - managed services)
All services	From other third parties	We collect personal data relating to you from third parties including: Regulators such as the Financial Conduct Authority (FCA) Tracing agents acting our behalf The Official Receiver/Insolvency Practitioners Individuals acting under a Power of Attorney Personal Representatives

In almost all cases, we’ll ask for your explicit consent before collecting special category data unless we are required to by law (for example, for employment law purposes), there is an overriding public interest, or where we believe you or someone else may be at risk.

If you contact us and share this type of information, then we’ll assume that you’re happy for us to record it – unless you tell us not to. If someone acting on your behalf provides this information, we’ll record what’s been provided and who gave it to us.

Where we have relied on your explicit consent, you have the right to withdraw your consent to us recording and using special category data at any time. This will not affect any use we have made of the information before you withdrew your consent.

From time to time, we might need to collect or use personal data about individuals who aren’t our customers, for example your spouse/civil partner or beneficiaries. The information you give us or that we collect through your use of our services, may contain your or another person’s personal data. If you provide us with information about another person, you confirm that they have appointed you to act for them, they consent to you providing their personal data to us and any processing of their personal data and that you have informed them of our identity and the purpose for which their personal data will be processed – as set out in this Privacy Notice.

As we operate in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. YBS are regulated by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Information Commissioner’s Office (ICO).

We process your personal data for a number of different purposes. When we collect, use, share or hold your personal data, we must have a valid reason to do so (known as a ‘lawful basis’). The table below sets out the different lawful basis we may rely on. You can find out more in the how we use your personal data section.

Lawful basis	Description
Consent	You have given free and clear consent for us to process your personal data for a specific purpose.
Contract	The processing is necessary for a contract we have with you, or because we have asked you to take specific steps before entering into a contract.
Explicit consent	You have given explicit consent for us to process your sensitive personal data for a specific purpose.
Legal obligation	The processing is necessary for us to comply with the law or legal requirement.
Legitimate interests	The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. We will only process your special category personal data where we have an additional lawful basis. This includes:

Where we need to carry out our legal obligations or exercise rights in connection with your application for an account with us.
Where it is needed in the public interest: for example, we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equality and diversity monitoring and reporting.
With your explicit written consent. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We use your personal data for a whole host of reasons. This may vary depending on the type of scheme you are enrolled in.

Purpose	Why we use your personal data this way	Lawful basis we rely on to process your personal data
To review your application (including tax domicile status)	We will collect, use, share and keep personal data needed for us to deal with your enquiries and manage the ongoing administration of your accounts and services. This includes keeping your account records up to date and contacting you when needed. For some global schemes where we hold deposits, we will need to collect personal data so we can comply with Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) reporting obligations – collectively known as ‘International Tax Compliance.’ You have the right to object to us using your personal data for legitimate interests.	Legal obligation Legitimate interests
For profiling	We use your personal data to allow us to understand our customer base and gain insights into our customers and our services. These activities are used to predict how we can best deliver our service to you as well as tailor our product or service offerings and contact you efficiently and effectively with information that is relevant to you. You have the right to object to us using your personal data for legitimate interests.	Legitimate interests
To administer, provide and service your account(s)	We will collect, use, and keep personal data needed to administer your accounts, including: Checking savings limits are not exceeded (UK SAYE only) Processing and retaining records of your instructions Notifying you about Scheme events e.g. reminder calls to action, maturity, statements, or other corporate actions General account and administration Notifying you about member related events e.g. AGMs and other meetings. Presenting shareholdings, documents and information about the Scheme to you Monitoring your participation in connected Schemes Facilitating the gathering of instructions for the holding/transferring of shares at maturity/vesting/withdrawal/closure. You have the right to object to us using your personal data for legitimate interests.	Legitimate interests
To communicate with you via our various channels	We will use your personal data to communicate with you. This includes communicating with you via the telephone, post and email. You have the right to object to us using your personal data for legitimate interests.	Legitimate interests
To manage surveys and feedback	We use personal data to manage surveys we may conduct from time to time As part of this we may engage third party providers to administer the survey on our behalf and share your contact details with them. You have the right to object to us processing your personal data in this way.	Legitimate interests
To market our services	Where you consent, we will use your personal data to identify if any of our services may be of interest to you and for making suggestions and recommendations to you about them. We will also use personal data to provide you with the information and services that you request from us via your chosen channel. You have the right to object to us using your personal data for legitimate interests.	Consent
To meet our legal and regulatory obligations	We’re required to collect and use your personal data in a number of circumstances to meet our legal and regulatory obligations. These include using your personal data to carry out a range of activities that ensure we comply with the requirements set out by our regulators (e.g. Financial Conduct Authority – FCA) and in relevant legislation (e.g. Data Protection Legislation and Anti-Money Laundering Regulations). We also disclose information to HMRC and other government bodies when we are required or permitted to do so, for example to detect and prevent fraud. For some global schemes where we hold deposits, we will need to collect personal data so we can comply with Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) reporting obligations – collectively known as ‘International Tax Compliance.’	Legal obligation
To prevent and detect fraud and financial crime	We use and share your personal data with fraud prevention agencies to help prevent financial crime and fraud. Sometimes we have a legal obligation to do this. If required for fraud or criminal investigation reasons, we (and the fraud prevention agencies) may also allow law enforcement agencies to access and use your personal data. You have the right to object to us using your personal data for legitimate interests.	Legal obligation Legitimate interests
To resolve any complaints you may have	We will collect, use, share and keep personal data to help us resolve any complaints that you may have or make. You have the right to object to us using your personal data for legitimate interests.	Legitimate interests
To test our systems and processes	In order to improve our services and systems, we may use your personal data for testing our systems so that we can make them even better. Using your personal data for testing is necessary for our legitimate business interests as it allows us to maintain and improve the security, integrity and performance of our systems. Also, being able to develop systems with customers in mind enhances the experiences you have with us. We have stringent processes in place to keep your personal data safe and we won’t use it in a way that’s unfair to you. When we are unable to use 'masked' or anonymous data (i.e. that which doesn’t identify you), we will aim to: Always do this in a secure and controlled environment Only use the minimum amount of data necessary for the testing required Only use carefully selected specialist service providers, where necessary Only hold your information in this way for as long as needed to carry out testing You have the right to object to us using your personal data for legitimate interests.	Legitimate interests
Verifying your identify	Sometimes we have a regulatory requirement to confirm the identity of anyone opening an account with us. This upholds our legal obligations to complete necessary due diligence checks to make sure we know our customers, helps prevent and detect fraud, prevents identity theft and protects our business. It is also in our legitimate interests to check the identity of our customers for the same reasons. You have the right to object to us using your personal data for legitimate interests.	Legal obligation Legitimate interests

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with where this is required or permitted by law.

There may be circumstances where we use automated decision making using your personal data. We use automated decision making to check that we can enter into a contract with you, and also carry out our legal and regulatory obligations. Sometimes, it’s required by law (e.g. when complying with UK money laundering regulations). We may use automated decision making to:

Carry out financial crime checks as required under law.
Check if someone’s making a fraudulent application or if there’s activity on your account that needs further review. This is so we can protect you from financial crime.
Decide if you are, or continue to be, eligible for the service you’ve chosen.

For automated decision making, we use information that we’ve collected or hold about you from your applications. Sometimes, we might also use information from other sources such as credit reference or fraud prevention agencies – but we check this against the information you give us.

There may be occasions where we need to share your personal data with external partners or organisations. This can be where you have asked us, your employer has or we are required by law. We will only transfer your personal data to trusted third parties who provide sufficient security guarantees and who demonstrate a commitment to compliance with applicable law and this policy.

Where third parties are processing personal information on our behalf, they will be required to agree, by contractual means, to process the personal information in accordance with the applicable law. This contract will stipulate, amongst other things, that the third party and its representatives shall act only on our instructions, or as permitted by law. The table below provides details on who we share personal data with and the reasons why:

Who	Reason
Auditors	To ensure that your account is managed accordingly and for regulatory purposes.
Banks and other payment/financial service providers	To process your entitlements and payments. So they can open relevant accounts e.g. ISA, Nominee.
Brokers	To provide brokerage services to allow sale of shares. To obtain a share certificate and/or onward transfer of shares to an ISA, share dealing account or Nominee account. This may involve spousal/civil partner transfers. To facilitate share management services e.g. custody, corporate actions, dividends, and voting.
Communications/printing companies	To provide you with email and paper based communications in relation to your account and our services.
Courts and tribunals	To manage and resolve complaints, disputes and/or legal claims.
Fraud prevention agencies	To prevent fraud and money-laundering. To verify your identity.
Fraud prevention agencies (e.g. CIFAS and National Hunter)	To carry out checks for the purposes of preventing fraud and money laundering To verify your identity. To assess your suitability for services. For fraud prevention and tracing activity.
HM Revenue and Customs (HMRC) and other tax authorities	To confirm your tax status and provide information for tax reporting purposes. To assist with enquiries, investigations, complaints and assessments. To assist with financial crime and fraud prevention.
Information technology providers	To provide an integrated administration/brokerage platform and/or an administration platform. To provide an aggregated view of shareholdings.
Law enforcement agencies	To assist with any ongoing investigations relating to the security and/or safety of individuals. For financial crime and fraud prevention purposes.
Nominees	Individual Nominees To hold share certificates electronically when you leave your employment. Corporate Sponsored Nominees To hold shares electronically while you are employed.
Official Receiver/Insolvency Practitioners	For compliance with insolvency matters.
Other Scheme Administrators	To manage your account and ensure that our records are accurate and up to date.
Payroll providers	To manage payments due to you and to us.
Personal representatives	To manage queries in relation to your account in their capacity as a personal representative.
Registrars	To issue you with a share certificate.
Regulators e.g. Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Information Commissioner’s Office (ICO)	To comply with our regulatory requirements and to resolve complaints.
Tax Authorities	To ensure compliance with tax legislation and requirements.
Third party providers, for example, your solicitor	To provide you with their services when you have requested these. To manage our business relationship with them and you.
Tracing agents	For tracing purposes and to locate you where we have been unable to contact you about your account.
Trustees/Employee Benefit Trusts	To enable shares to be transferred accordingly for settlement.
UK Financial Services Compensation Scheme Financial Ombudsman Scheme	To provide our regulatory and governing bodies with data about our business To assist with enquiries, investigations, complaints andassessments.
Your employer or agent(s)	To manage your account and process instructions provided by you or your employer.

We have a relationship with the following organisations and may share your personal data with the companies listed below associated purposes.

Organisation	Purpose
Acoustic Marketing UK Ltd	To provide email communication services.
Computershare Limited	To manage your account and ensure that our records are accurate and up to date (deposit taking only).
Jarvis Investment Management Limited	To provide brokerage services.
Other administrators, on a Client specific basis, where the administration has moved to another administrator, but the deposit taking (via the savings contract) has to remain with YBS.	To manage your account and ensure that our records are accurate and up to date (all Sharesave except deposit taking only and managed).
Paragon Customer Communications (London) Ltd	To provide printing and mailing services.
Registrar, Employee Benefit Trust, ISA and Nominee providers on a Client specific basis	To facilitate the holding/transferring of shares

If we sell or transfer all or part of our business, we may share or transfer customer records and data as part of the proposed/actual sale or transfer. Before we do this we will ensure there is adequate protection in place by imposing contractual obligations on the buyer/seller to ensure the security and confidentiality of your data.

There may be some circumstances where we may transfer your personal data to countries outside the UK when:

We’re required or permitted to by law or regulatory requirements.
We’re sharing data with a third party to support us in the management of your account(s)
We’re sharing data with a third party to facilitate the holding/transferring of your shares e.g. an EBT or Nominee.
Your employer is based outside the UK.

When transferring personal data to countries outside the UK or EEA, we take appropriate steps to ensure that there is adequate protection and controls are in place and that data protection legislation is followed. This is done by:

Ensuring that we transfer personal data to countries that we believe have comparable data protection legislation to the UK.
Putting suitable clauses in our contracts to ensure that organisation’s take appropriate steps to comply with UK data protection laws or the equivalent.
Having appropriate contractual indemnities in place.

If you would like more information on this, please contact us

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our aim is to keep your personal data only for as long as we need to, in order to manage your relationship with us and comply with legal and regulatory requirements. When determining retention periods, we consider the following:

the maximum or minimum retention periods identified by the law or regulatory guidance
our contractual rights and obligations
customer expectations, the nature of your relationship with us and the types of accounts and services you have with us
current or future operational requirements
forensic requirements, for example, the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
the risks involved in retention, deletion and removal
the cost of maintaining, storing, archiving and retrieving data
the capability or restraints of our systems and technology

The table below provides details on how long we will retain your personal data for:

Category	Retention Period
Complaints	If you make a complaint to us, we will retain your personal data in relation to the complaint for up to 6 years after the closure of a complaint to meet our legal and regulatory obligations and to manage, where applicable, any escalation to the Financial Ombudsman Service (FOS).
Fraud prevention data	Fraud Prevention Agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held by us for up to 6 years from the end of our relationship with you.
Marketing preferences	If you have opted to receive marketing information from us and we have been informed by your employer, we will retain your preferences for methods you have chosen to be contacted for the duration of your relationship with us unless you tell us otherwise.
Personal data relating to your account(s)	If you have an account or investment product we typically keep personal data for 10 years from the end of our relationship with you. In some cases where there may be a dispute or a legal action we may be required to keep personal information for longer.
Power of Attorney information	We will retain this for 10 years from the end of our relationship with you.

We may keep your personal data for longer than indicated if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we’ll make sure that your privacy is protected and only use it for those specified purposes.

If we anonymise your personal data so that it can no longer be associated with you, it will no longer be considered personal data and we can use it without further notice to you.

You have a number of rights in relation to your personal data. These are detailed below.

Right	Description
Request to be informed about how we process your personal data.	You have the right to be informed about the collection and use of your personal data.
Request access to your personal data (commonly known as a “data subject access request”).	This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request rectification/correction of the personal data that we hold about you.	This enables you to have any incomplete or inaccurate data corrected.
Request erasure of your personal data.	This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object.
Object to processing of your personal data.	You can object to us using your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request the restriction of processing of your personal data.	This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to another party.	In certain circumstances, you have the right to ask us to transfer a copy of some of your personal data to you or to a new data controller (e.g. another financial provider or comparison website).
Right to withdraw your consent	Where we rely on your consent to process any of your personal data, you have a right to withdraw that consent at any time. This will not affect any use we have made of the information before you withdrew your consent.
Object to automated decision making /Profiling	In certain circumstances, you have the right to ask for an automated decision (such as a lending decision made by a machine) to be reviewed by a human.
Complain to the Supervisory Authority	You have the right to make a complaint to the Supervisory Authority. In the UK, this is the Information Commissioner’s Office (ICO).

Where we are the data controller, you can request these rights by:

Writing to us at the address below
Emailing DPO@ybs.co.uk
By calling us on the numbers below

Whilst we make every effort to ensure your data is correct, we kindly request that you help us by reporting any inaccuracies or discrepancies at the earliest opportunity. It is your responsibility to keep us informed of any change of your circumstances including any name changes, alternative contact details or change of address.

To make changes you can contact us using the details below:

YBSSharePlansAdmin@ybs.co.uk
0345 1200 300

You can change your marketing preferences and how we contact you in relation to new services by contacting us via the details below:

YBSSharePlansAdmin@ybs.co.uk
0345 1200 300

In order to improve your online experience with us, we use cookies. To find out more about cookies, the types of cookies we use, how we use them and how to manage your preferences, please see our cookies section.

Our site may contain links to other sites. Such other sites may also make use of their own cookies and will have their own cookies policies. You should carefully review the relevant policies and practices of other sites, as we cannot control or be responsible their content.

If you have any concerns about how we collect, use, share or keep your personal data, you think there has been a breach, or you have a question or concern about anything in this notice, you may contact our Data Protection Officer (DPO) using the details below:

Data Protection Officer
Yorkshire House
Yorkshire Drive
Bradford
West Yorkshire
BD5 8LJ
dpo@ybs.co.uk

You have a right to complain to the Information Commissioner’s Office (ICO) if you have any concerns about how we collect, use, share or keep your personal data. You may contact them at:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Web: ico.org.uk

Privacy Notice

Introduction

Updating this notice

Introduction

Data Controller

Services covered by this notice

Why do we need your personal data?

What if you do not provide personal data?

What personal data do we collect?

Special Category Data

Where do we obtain personal data from?

How do we collect special category data?

Collecting personal data about individuals who are not a customer

Lawful basis for processing personal data

Lawful basis for processing special category data

How do we use your personal data?

Change of purpose

Automated decision making

What information do we use to make these decisions?

Who has access to your personal data?

Our relationships with other organisations

Sale, purchase or demutualisation of all or part of our business

Transfers of personal data outside the EEA

How do we protect your personal data?

How long do we keep your personal data?

What rights do you have in relation to your personal data?

Accuracy of your personal data

Changing your marketing preferences

Cookies

Data Protection Officer (DPO) details

Contacting the Information Commissioner’s Office (ICO)

Updating this notice