Privacy Notice

Introduction


This privacy notice sets out how Yorkshire Building Society (YBS) Share Plans will collect and use your personal data and your information rights. We are committed to taking good care of your personal data and ensuring the highest standards of privacy. If you have any questions about this notice, don’t hesitate to get in touch with us. We’ll be more than happy to help.

YBS Share Plans is part of Yorkshire Building Society (YBS). Within this privacy notice, any references to ‘Share Plans’ ‘us’, ‘our’ and ‘we’ means ‘YBS’. Your employer will be referred to as ‘Employer’, ‘Company’ or ‘Client’. An ‘account’ can mean an account where savings/deposits are held or just simply an administration record. The terms ‘Scheme’ and ‘Plan’ are used interchangeably to describe the services we provide to your employer in relation to their employee share scheme/plan.

This notice does not extend to other organisations, such as any external websites you may access from our website. Other organisations may inform you how they use your personal data.

When appropriate, we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this notice.

You can download and print a copy of our Privacy Notice here.

An organisation that decides how the personal data it collects and holds is used is called a ‘data controller’. We call this use of personal data ‘processing’ – this includes the collection, storage, analysis, sharing, retention and disposal of personal data. We will be the data controller.

As a Data Controller, we are registered with the Information Commissioner's Office (ICO) - the organisation in the UK that oversees that an organisation is acting accordingly when processing personal data. Our registration numbers are:

  • Z9006086
  • Z5217596

YBS provides share plan trustee and administration services, including deposit taking, all of which are subject to English law, with deposit taking being regulated by the Financial Conduct Authority. The provision of share plan trustee and administration services is not regulated by the Financial Conduct Authority. We are not responsible for share plan deposits held by local savings carriers outside the UK. This notice applies to all of the following services:

  • Sharesave (UK SAYE)
  • Share Incentive Plans UK (UK SIP)
  • Global Share Incentive Plans (Global SIP)
  • Global Sharesave
  • Discretionary Share Plans
  • Sharesave – Republic of Ireland (Irish SAYE)

You can find out more about these services on our website here. The table below shows our role for each type of service.

Administrator

Trustee

Deposit taker

Sharesave (UK and Irish)

UK SIP

Global SIP

Discretionary Share Plans

Global Sharesave - deposit

Global Sharesave - managed*

Deposit taking only (UK SAYE and Irish SAYE)**

 

* If you don’t pay money to YBS each month and just receive documents/e-forms from us, this will be you.

** You will likely be included in this scheme if another provider has provided an administration portal and/or sends you share plan documents since the start of your savings contract.

In order that we can provide you with a high quality service and, where applicable, enter into a relationship with you, we will need to obtain and use personal data about you. Without this, we may not be able to provide you with one of our services or deal with your queries effectively.

We require personal data in order to verify/validate you and for security purposes. If you do not provide us with this, we may not be able to provide you with services or communicate with you effectively. Some of our terms and conditions require you to provide us with personal data, such as informing us of a change of address so that we can provide you with statutory information relating to your account.

We collect and use a variety of personal data to run our business and manage our relationship with you. The table below shows the typical categories of personal data we ask you for and why we may ask for it. You will find more specific information in the ‘How do we use your personal data?’ section:

What will we collect?

How we may use it

Bank details (including IBAN and Swift Code)

We use your these details to make any payments due to you.

Call recordings

It is important that we provide the best possible service to you. This might mean that we log and record calls you make to us to resolve any discrepancies or issues that inevitably crop up from time to time. We may also record calls for training and monitoring purposes, including meeting our legal obligations.

CREST ID/Nominee identifier

We use your CREST ID to arrange the transfer of shares from the Corporate Sponsored Nominee account to your individual Nominee account.

Date of birth and/or age

We will use this to identify and verify (validate) you.

Direct marketing preferences

We may ask you if you wish to receive notifications from us about our services that may be of interest to you. We will only do this where we have your explicit consent and will only contact you by methods you have chosen (e.g. post, phone, text, email).

Driving licence, passport or other identification

When requesting changes to personal data e.g. name, address, we use this to verify your identity in accordance with our internal procedures.

Email address and phone number

We use your email address and phone number to:

  • Invite you to join a Scheme
  • Contact you about your account(s)
  • Notify you about changes to our services
  • Issue statements or other share scheme documentation to you
  • Send you marketing information (where you have consented)
  • Enable you to register for online services
  • Enable you to register your interests for new product or service updates that we may offer.

Employment details

For certain services, we may collect details of your employment, including your start date, employment location, employment status i.e. leaver details and date, and employee ID, so that we can verify (validate) you, check your eligibility for one or more of our services and to manage your account effectively.

Gender

Sometimes, it will be necessary for us to use your gender in order to:

  • Identify and verify you
  • for reporting purposes (e.g. demographics and statistics)

How you interact with us

We may record how you interact with us currently or in the past in order to give you the best service and prevent fraud. This can include whether you have carried out a transaction over the phone or over the internet for example.

Name(s), title, address, previous addresses, gender

We use this:

  • To invite you to join a Scheme
  • To identify and verify (validate) you
  • To open, manage and administer your accounts and relationship with us
  • Contact you about your account(s)
  • Notify you about changes to our services
  • Issue statements or other share scheme documentation to you
  • Send you marketing information (where you have consented)
  • To meet our legal and regulatory obligations
  • To allow EBT providers and nominees to comply with financial crime regulations (name).

National insurance number

We use this to verify (validate) your identity and to allow Brokers to comply with stock market reporting obligations.

Nationality and national identifier data

We use this to allow Brokers to comply with stock market reporting obligations and, for nationality, to meet our legal and regulatory obligations.

Place of birth

We may collect details on your place of birth in order to authenticate and verify you when you contact us and to prevent fraud.

Tax status

Where applicable, we will use this for identifying your tax status. If you are a tax resident overseas or a US citizen, you are required to complete a declaration and we are obliged to report the information relating to you and your account(s) to HM Revenue and Customs (HMRC). HMRC may share the information with the relevant tax authorities.

From time to time, we may need to ask for personal data that might seem sensitive. This is known as ‘special category data’. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. This could include information on:

  • race or ethnicity
  • health, including any medical condition, health and sickness or vulnerability

Depending on the service(s) we provide to you, we obtain your personal data in the following ways:

Service

Who from?

Details

UK SIP, Sharesave (UK and Irish)

Global Sharesave - Deposit

Global Sharesave - Managed

Directly from you

We obtain personal data directly from you:

  • When you apply for our services online or on the phone.
  • When you register to allow you to use online services.
  • When you update your information (such as when you change your address).
  • When you speak to us on the phone (we may record some calls for training and quality purposes).
  • When using our websites, online web chat services and any digital or mobile app we may offer now or in the future.
  • When you send letters, emails or other documents to us.
  • When we use information that you’ve made public such as tweets or social media content too (e.g. when you interact with our social media profiles, on Twitter, or referenceYorkshire Building Society or Share Plans in a ‘tweet’).

UK SIP

Global SIP

Global Sharesave - Deposit

UK SAYE

Global Sharesave - Managed

Deposit taking only (UK SAYE and Irish SAYE)

Discretionary Share Plans

From a third party acting on your behalf

We obtain personal data relating to you from third parties to invite you to join a scheme and to enable us to provide our services to you. This can include:

  • Your employer
  • Your personal representatives.
  • Your share plans administrator (UK and Irish SAYE deposit taking only)
  • Another share plan administrator (all SAYE except deposit taking only and managed)
  • Your Local Co-Ordinator (for Global Sharesave - managed services)

All services

From other third parties

We collect personal data relating to you from third parties including:

  • Regulators such as the Financial Conduct Authority (FCA)
  • Tracing agents acting our behalf
  • The Official Receiver/Insolvency Practitioners
  • Individuals acting under a Power of Attorney
  • Personal Representatives

In almost all cases, we’ll ask for your explicit consent before collecting special category data unless we are required to by law (for example, for employment law purposes), there is an overriding public interest, or where we believe you or someone else may be at risk.

If you contact us and share this type of information, then we’ll assume that you’re happy for us to record it – unless you tell us not to. If someone acting on your behalf provides this information, we’ll record what’s been provided and who gave it to us.

Where we have relied on your explicit consent, you have the right to withdraw your consent to us recording and using special category data at any time. This will not affect any use we have made of the information before you withdrew your consent.

From time to time, we might need to collect or use personal data about individuals who aren’t our customers, for example your spouse/civil partner or beneficiaries. The information you give us or that we collect through your use of our services, may contain your or another person’s personal data. If you provide us with information about another person, you confirm that they have appointed you to act for them, they consent to you providing their personal data to us and any processing of their personal data and that you have informed them of our identity and the purpose for which their personal data will be processed – as set out in this Privacy Notice.

As we operate in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. YBS are regulated by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Information Commissioner’s Office (ICO).

We process your personal data for a number of different purposes. When we collect, use, share or hold your personal data, we must have a valid reason to do so (known as a ‘lawful basis’). The table below sets out the different lawful basis we may rely on. You can find out more in the how we use your personal data section.

Lawful basis

Description

Consent

You have given free and clear consent for us to process your personal data for a specific purpose.

Contract

The processing is necessary for a contract we have with you, or because we have asked you to take specific steps before entering into a contract.

Explicit consent

You have given explicit consent for us to process your sensitive personal data for a specific purpose.

Legal obligation

The processing is necessary for us to comply with the law or legal requirement.

Legitimate interests

The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. We will only process your special category personal data where we have an additional lawful basis. This includes:

  • Where we need to carry out our legal obligations or exercise rights in connection with your application for an account with us.
  • Where it is needed in the public interest: for example, we will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equality and diversity monitoring and reporting.
  • With your explicit written consent. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
  • Where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We use your personal data for a whole host of reasons. This may vary depending on the type of scheme you are enrolled in.

Purpose

Why we use your personal data this way

Lawful basis we rely on to process your personal data

Analysing an eligibility file from your employer

For Sharesave (UK, Irish and Global SAYE) and UK SIP, we use personal data in order to analyse the ‘eligibility file’ (a data file received from your employer which confirms the details of those employees who are eligible to participate in a particular scheme) provided by your employer. This includes validating the file for errors and carrying out checks for financial crime purposes. This data is then used to invite you to join a Scheme.

For a Discretionary Share Plan, we use personal data in order to analyse and ‘award file’ (a data file received from your employer which confirms the details of those employees who are to be awarded shares in a particular scheme) provided by your employer. This includes validating the file for errors.

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

Verifying your identify

Sometimes we have a regulatory requirement to confirm the identity of anyone opening an account with us. This upholds our legal obligations to complete necessary due diligence checks to make sure we know our customers, helps prevent and detect fraud, prevents identity theft and protects our business. It is also in our legitimate interests to check the identity of our customers for the same reasons.

You have the right to object to us using your personal data for legitimate interests.

Legal obligation

Legitimate interests

To host applications and awards

If you decide to apply for Sharesave (UK, Irish, Global) or SIP (UK, Global), we will invite you to join via our website portal or e-form where we will collect and use your personal data to process your application and subsequently display your account details.

If you are awarded shares in a Discretionary Share Plan, we will notify you and invite you to our website portal (hosted by Investec) where we will use your personal data to process and host your acceptance of the award.

For some global schemes where we hold deposits, we will need to collect personal data so we can comply with Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) reporting obligations – collectively known as ‘International Tax Compliance.’

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

Legal obligation

To review your application (including tax domicile status)

We will collect, use, share and keep personal data needed for us to deal with your enquiries, process your applications and manage the ongoing administration of your accounts and services. This includes keeping your account records up to date and contacting you when needed.

For some global schemes where we hold deposits, we will need to collect personal data so we can comply with Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) reporting obligations – collectively known as ‘International Tax Compliance.’

You have the right to object to us using your personal data for legitimate interests.

Legal obligation

Legitimate interests

To administer, provide and service your account(s)

We will collect, use, and keep personal data needed to administer your accounts, including:

  • Checking savings limits are not exceeded (UK SAYE only)
  • Processing and retaining records of your instructions
  • Notifying you about Scheme events e.g. invites, awards, reminder calls to action, maturity, statements, voting, dividend payments or other corporate actions
  • General account and administration
  • Notifying you about member related events e.g. AGMs and other meetings.
  • Presenting shareholdings, documents and information about the Scheme to you
  • Accounting for dividends or other benefits (e.g. paying them to you via bank transfer and providing dividend confirmations)
  • Monitoring your participation in connected Schemes
  • Deducting PAYE and national insurance contributions (NICs) and, where applicable, cost of options
  • Facilitating the gathering of instructions for the holding/transferring of shares at maturity/vesting/withdrawal/closure.

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

Communicating with you via our various channels

We will use your personal data to communicate with you. This includes communicating with you via the telephone, post, email, live chat and social media.

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

To resolve any complaints you may have

We will collect, use, share and keep personal data to help us resolve any complaints that you may have or make.

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

To prevent and detect fraud and financial crime

We use and share your personal data with fraud prevention agencies to help prevent financial crime and fraud. Sometimes we have a legal obligation to do this. If required for fraud or criminal investigation reasons, we (and the fraud prevention agencies) may also allow law enforcement agencies to access and use your personal data.

You have the right to object to us using your personal data for legitimate interests.

Legal obligation

Legitimate interests

To test our systems and processes

In order to improve our services and systems, we may use your personal data for testing our systems so that we can make them even better.

Using your personal data for testing is necessary for our legitimate business interests as it allows us to maintain and improve the security, integrity and performance of our systems. Also, being able to develop systems with customers in mind enhances the experiences you have with us.

We have stringent processes in place to keep your personal data safe and we won’t use it in a way that’s unfair to you. When we are unable to use 'masked' or anonymous data (i.e. that which doesn’t identify you), we will aim to:

  • Always do this in a secure and controlled environment
  • Only use the minimum amount of data necessary for the testing required
  • Only use carefully selected specialist service providers, where necessary
  • Only hold your information in this way for as long as needed to carry out testing

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

To meet our legal and regulatory obligations

We’re required to collect and use your personal data in a number of circumstances to meet our legal and regulatory obligations.

These include using your personal data to carry out a range of activities that ensure we comply with the requirements set out by our regulators (e.g. Financial Conduct Authority – FCA) and in relevant legislation (e.g. Data Protection Legislation and Anti-Money Laundering Regulations). We also disclose information to HMRC and other government bodies when we are required or permitted to do so, for example to detect and prevent fraud.

For some global schemes where we hold deposits, we will need to collect personal data so we can comply with Foreign Account Tax Compliance Act (FATCA)/Common Reporting Standard (CRS) reporting obligations – collectively known as ‘International Tax Compliance.’

Legal obligation

For profiling

We use your personal data to allow us to understand our customer base and gain insights into our customers and our services. These activities are used to predict how we can best deliver our service to you as well as tailor our product or service offerings and contact you efficiently and effectively with information that is relevant to you.

You have the right to object to us using your personal data for legitimate interests.

Legitimate interests

Prize draws and interactive features

We will use your personal data to allow you to participate in any prize draws or interactive features of our service, when you choose to do so.

You have the right to object to us using your personal data for legitimate interests.

Consent

Legitimate interests

Marketing of our services

Where you consent, we will use your personal data to identify if any of our services may be of interest to you and for making suggestions and recommendations to you about them. We will also use personal data to provide you with the information and services that you request from us via your chosen channel.

You have the right to object to us using your personal data for legitimate interests.

Consent

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with where this is required or permitted by law.

There may be circumstances where we use automated decision making using your personal data. We use automated decision making to check that we can enter into a contract with you, and also carry out our legal and regulatory obligations. Sometimes, it’s required by law (e.g. when complying with UK money laundering regulations). We may use automated decision making to:

  • Carry out financial crime checks as required under law.
  • Check if someone’s making a fraudulent application or if there’s activity on your account that needs further review. This is so we can protect you from financial crime.
  • Decide if you are, or continue to be, eligible for the service you’ve chosen.

For automated decision making, we use information that we’ve collected or hold about you from your applications. Sometimes, we might also use information from other sources such as credit reference or fraud prevention agencies – but we check this against the information you give us.

There may be occasions where we need to share your personal data with external partners or organisations. This can be where you have asked us, your employer has or we are required by law. We will only transfer your personal data to trusted third parties who provide sufficient security guarantees and who demonstrate a commitment to compliance with applicable law and this policy.

Where third parties are processing personal information on our behalf, they will be required to agree, by contractual means, to process the personal information in accordance with the applicable law. This contract will stipulate, amongst other things, that the third party and its representatives shall act only on our instructions, or as permitted by law. The table below provides details on who we share personal data with and the reasons why:

Who

Reason

Auditors

  • To ensure that your account is managed accordingly and for regulatory purposes.

Banks and other payment/financial service providers

  • To process your entitlements and payments.
  • So they can open relevant accounts e.g. ISA, Nominee.

Brokers

  • To provide brokerage services to allow sale of shares.
  • To obtain a share certificate and/or onward transfer of shares to an ISA, share dealing account or Nominee account. This may involve spousal/civil partner transfers.
  • To facilitate share management services e.g. custody, corporate actions, dividends, and voting.

Communications/printing companies

  • To provide you with email and paper based communications in relation to your account and our services.

Courts and tribunals

  • To manage and resolve complaints, disputes and/or legal claims.

Fraud prevention agencies

  • To prevent fraud and money-laundering.
  • To verify your identity.

Fraud prevention agencies (e.g. CIFAS and National Hunter)

  • To carry out checks for the purposes of preventing fraud and money laundering
  • To verify your identity.
  • To assess your suitability for services.
  • For fraud prevention and tracing activity.

HM Revenue and Customs (HMRC) and other tax authorities

  • To confirm your tax status and provide information for tax reporting purposes.
  • To assist with enquiries, investigations, complaints and assessments.
  • To assist with financial crime and fraud prevention.

Information technology providers

  • To provide an integrated administration/brokerage platform and/or an administration platform.
  • To provide an aggregated view of shareholdings.

Law enforcement agencies

  • To assist with any ongoing investigations relating to the security and/or safety of individuals.
  • For financial crime and fraud prevention purposes.

Market research providers

  • To provide market research services on our behalf.
  • To gain better understand our customers including their experiences, circumstances, needs and responses to our current and potential services and wider initiatives.
  • To gain a range of insights, for example market trends; consumer behaviour; competitors; technological change.
  • To support a wide range of business decision making such as product development.
  • For data for profiling and customer segmentation to create a broad understanding of our customers, to help shape our communications and the overall customer experience.

Nominees

Individual Nominees

  • To hold share certificates electronically when you leave your employment.

Corporate Sponsored Nominees

  • To hold shares electronically while you are employed.

Official Receiver/Insolvency Practitioners

  • For compliance with insolvency matters.

Other Scheme Administrators

  • To manage your account and ensure that our records are accurate and up to date.

Payroll providers

  • To manage payments due to you and to us.

Personal representatives

  • To manage queries in relation to your account in their capacity as a personal representative.

Registrars

  • To issue you with a share certificate.

Regulators e.g. Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Information Commissioner’s Office (ICO)

  • To comply with our regulatory requirements and to resolve complaints.

Social Media providers

  • To communicate with you and answer your queries submitted via social media.
  • To show you targeted advertising (where applicable).

Tax Authorities

  • To ensure compliance with tax legislation and requirements.

Third party providers, for example, your solicitor

  • To provide you with their services when you have requested these.
  • To manage our business relationship with them and you.

Tracing agents

  • For tracing purposes and to locate you where we have been unable to contact you about your account.

Trustees/Employee Benefit Trusts

  • To enable shares to be transferred accordingly for settlement.

UK Financial Services Compensation Scheme

Financial Ombudsman Scheme

  • To provide our regulatory and governing bodies with data about our business
  • To assist with enquiries, investigations, complaints andassessments.

Your employer or agent(s)

  • To manage your account and process instructions provided by you or your employer.

We have a relationship with the following organisations and may share your personal data with the companies listed below associated purposes.

Organisation

Purpose

Acoustic Marketing UK Ltd

To provide email communication services.

Computershare Limited

To manage your account and ensure that our records are accurate and up to date (deposit taking only).

Embark Investment Services Limited

To provide brokerage services.

Foster Denovo Limited

To provide an aggregated view of all your shareholdings (if you have Discretionary Share Plan and UK SAYE and/or UK SIP, or a number of Global Sharesave – Deposit accounts) and share plan financial education.

Investec Bank Plc

To provide an integrated administration and brokerage platform (Discretionary Share Plans).

To provide an administration service platform (Global SIP).

To provide an aggregated view of all your shareholdings (if you have a Discretionary Share Plan along with UK SAYE and/or UK SIP).

Jarvis Investment Management Limited

To provide brokerage services.

Ocorian Trustees (Jersey) Limited.

To provide Corporate Sponsored Nominee services.

Other administrators, on a Client specific basis, where the administration has moved to another administrator, but the deposit taking (via the savings contract) has to remain with YBS.

To manage your account and ensure that our records are accurate and up to date (all Sharesave except deposit taking only and managed).

Paragon Customer Communications (London) Ltd

To provide printing and mailing services.

Registrar, Employee Benefit Trust, ISA and Nominee providers on a Client specific basis

To facilitate the holding/transferring of shares

If we sell or transfer all or part of our business, we may share or transfer customer records and data as part of the proposed/actual sale or transfer. Before we do this we will ensure there is adequate protection in place by imposing contractual obligations on the buyer/seller to ensure the security and confidentiality of your data.

There may be some circumstances where we may transfer your personal data to countries outside the UK when:

  • We’re required or permitted to by law or regulatory requirements.
  • We’re sharing data with a third party to support us in the management of your account(s)
  • We’re sharing data with a third party to facilitate the holding/transferring of your shares e.g. an EBT or Nominee.
  • Your employer is based outside the UK.

When transferring personal data to countries outside the UK or EEA, we take appropriate steps to ensure that there is adequate protection and controls are in place and that data protection legislation is followed. This is done by:

  • Ensuring that we transfer personal data to countries that we believe have comparable data protection legislation to the UK.
  • Putting suitable clauses in our contracts to ensure that organisation’s take appropriate steps to comply with UK data protection laws or the equivalent.
  • Having appropriate contractual indemnities in place.

If you would like more information on this, please contact us

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our aim is to keep your personal data only for as long as we need to, in order to manage your relationship with us and comply with legal and regulatory requirements. When determining retention periods, we consider the following:

  • the maximum or minimum retention periods identified by the law or regulatory guidance
  • our contractual rights and obligations
  • customer expectations, the nature of your relationship with us and the types of accounts and services you have with us
  • current or future operational requirements
  • forensic requirements, for example, the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
  • the risks involved in retention, deletion and removal
  • the cost of maintaining, storing, archiving and retrieving data
  • the capability or restraints of our systems and technology

The table below provides details on how long we will retain your personal data for:

Category

Retention Period

Competitions/prize draws

We will keep details of the competitions and/or prize draws you enter for up to 6 months after the end of the competition and/or prize draw, unless otherwise stated in the competition/prize draw information we provide at the time.

Complaints

If you make a complaint to us, we will retain your personal data in relation to the complaint for up to 6 years after the closure of a complaint to meet our legal and regulatory obligations and to manage, where applicable, any escalation to the Financial Ombudsman Service (FOS).

Fraud prevention data

Fraud Prevention Agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held by us for up to 6 years from the end of our relationship with you.

General enquiries

If you contact us with a general enquiry, via email, phone or post, we will retain your personal data for up to 6 months from the date the information was obtained in order to allow time for you to open an account, product or service and for us to respond to further queries from you.

Marketing preferences

If you have opted to receive marketing information from us and we have been informed by your employer, we will retain your preferences for methods you have chosen to be contacted for the duration of your relationship with us unless you tell us otherwise.

Personal data relating to Trusts

For trusts we are required to keep personal data for up to 21 years.

Personal data relating to your account(s)

If you have an account or investment product we typically keep personal data for 10 years from the end of our relationship with you. In some cases where there may be a dispute or a legal action we may be required to keep personal information for longer.

Power of Attorney information

We will retain this for 10 years from the end of our relationship with you.


We may keep your personal data for longer than indicated if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we’ll make sure that your privacy is protected and only use it for those specified purposes.

If we anonymise your personal data so that it can no longer be associated with you, it will no longer be considered personal data and we can use it without further notice to you.

You have a number of rights in relation to your personal data. These are detailed below.

Right

Description

Request to be informed about how we process your personal data.

You have the right to be informed about the collection and use of your personal data.

Request access to your personal data (commonly known as a “data subject access request”).

This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request rectification/correction of the personal data that we hold about you.

This enables you to have any incomplete or inaccurate data corrected.

Request erasure of your personal data.

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object.

Object to processing of your personal data.

You can object to us using your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request the restriction of processing of your personal data.

This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal data to another party.

In certain circumstances, you have the right to ask us to transfer a copy of some of your personal data to you or to a new data controller (e.g. another financial provider or comparison website).

Right to withdraw your consent

Where we rely on your consent to process any of your personal data, you have a right to withdraw that consent at any time. This will not affect any use we have made of the information before you withdrew your consent.

Object to automated decision making /Profiling

In certain circumstances, you have the right to ask for an automated decision (such as a lending decision made by a machine) to be reviewed by a human.

Complain to the Supervisory Authority

You have the right to make a complaint to the Supervisory Authority. In the UK, this is the Information Commissioner’s Office (ICO).


Where we are the data controller, you can request these rights by:

  • Writing to us at the address below
  • Emailing DPO@ybs.co.uk
  • By calling us on the numbers below

Whilst we make every effort to ensure your data is correct, we kindly request that you help us by reporting any inaccuracies or discrepancies at the earliest opportunity. It your responsibility to keep us informed of any change of your circumstances including any name changes, alternative contact details or change of address. If you have an online account, you can make certain changes in the account area. Alternatively, you can contact us using the details below:

If you’re a Sharesave (SAYE) customer:

If you’re a Share Incentive Plan (SIP) customer:

If you’re a Discretionary (Executive) Share Plan customer:

Where you are an existing customer, you can change your marketing preferences and how we contact you in relation to new services by logging into your online account at ybsshareplans.co.uk. After you’ve logged in, just select your name (which appears alongside the logout button) and the personal details menu will appear. You can also contact us via the details below:

If you’re a Sharesave (SAYE) customer:

If you’re a Share Incentive Plan (SIP) customer:

If you’re a Discretionary (Executive) Share Plan customer:

In order to improve your online experience with us, we use cookies. To find out more about cookies, the types of cookies we use, how we use them and how to manage your preferences, please see our cookies section.

Our site may contain links to other sites. Such other sites may also make use of their own cookies and will have their own cookies policies. You should carefully review the relevant policies and practices of other sites, as we cannot control or be responsible their content.

If you have any concerns about how we collect, use, share or keep your personal data, you think there has been a breach, or you have a question or concern about anything in this notice, you may contact our Data Protection Officer (DPO) using the details below:

Data Protection Officer
Yorkshire House
Yorkshire Drive
Bradford
West Yorkshire
BD5 8LJ
dpo@ybs.co.uk

You have a right to complain to the Information Commissioner’s Office (ICO) if you have any concerns about how we collect, use, share or keep your personal data. You may contact them at:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Web: ico.org.uk

Updating this notice

We regularly review and, where necessary, update our privacy information contained within this notice. This was last updated on 9 September 2020.