HOW WE USE YOUR PERSONAL DATA
We take our obligations under data protection law very seriously and we’re committed to keeping your personal data secure.
Data Protection law, including the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR), imposes obligations on us as a “data controller” when we collect, hold, amend, share or otherwise use or erase/destroy (collectively referred to as “processing”) your personal data. It also gives you, as the “data subject”, rights over your personal data.
One such obligation is to process your personal data fairly, lawfully and in a transparent manner. This privacy notice is designed to help you understand what personal data we hold, why it is required, and how it is used. It also sets out some of your legal rights.
OSB GROUP PLC is the London Stock Exchange listed entity and parent company for a specialist lending and retail savings group of companies (OSB Group) including OneSavings Bank plc and Charter Court Financial Services Limited, which are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
In this privacy notice, the terms “we”, “our”, and “us” are used to refer to the relevant subsidiary/trading name and “data controller” for your personal data or, where applicable, to the OSB Group. Subsidiaries and our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, may change from time to time and references to the OSB Group include successors in title and any other person who is for the time being entitled at law to the benefit of the savings or investment product. Subsidiaries and trading names in the OSB Group include:
- Charter Savings Bank
- Charter Court Financial Services Limited
- Kent Reliance, Kent Reliance Banking Services, krbs
- OneSavings Bank plc
We respect your right to privacy. If you have any questions or concerns about how we use your information, our Data Protection team will be happy to assist you. Please write to:
Group Data Protection Officer OSB GROUP PLC OSB House Quayside Chatham Maritime ME4 4QZ
Alternatively, you can email us at: [email protected]
Please read the following carefully to understand our practices regarding your personal data and how it is processed.
WHO THIS PRIVACY NOTICE APPLIES TO
This privacy notice explains how we will use the personal data of:
- anyone who applies for or has a savings or other account (e.g. bonds, ISAs) with us;
- anyone who becomes, or applies to be added as, a party to an existing account; and
- representatives of anyone who has an account with us including persons appointed under a Power of Attorney and personal representatives;
Each such person is referred to as “you” and “your” in this privacy notice.
HOW WE OBTAIN YOUR PERSONAL DATA
We will receive personal data about you from a variety of sources including from you, information we collect about you when you use our banking services online, information we receive from other sources including from applicants or account holders, persons who represent or advise you including a person appointed under a Power of Attorney, your bank or building society, fraud prevention agencies, the Cash ISA Transfer Service, persons working on our behalf and providing services to us, marker researches, government, tax and law enforcement agencies and other companies within the OSB Group.
We will also receive and create personal data about you during the course of the application for, and our administration of, an account, for example from emails, telephone calls, letters and other documents. We may also obtain data about you that is publicly available, such as from the Electoral Register and the Internet.
THE TYPES OF PERSONAL DATA WE USE
We may process a wide variety of data about you, where necessary, for the purposes set out in the “How We Use Your Data” section, including data about:
|you as an individual
|people connected to you
|your finances and the finances of any business you own or run
|your accounts, products and services you have with us
|your communication preferences
|your profile and how you use our products and services
|your correspondence and documents we hold
|the results of checks we are required by law to undertake and any relevant criminal convictions
SPECIAL CATEGORY DATA
Some personal data for example data about your health, racial or ethnic origin is subject to additional rights and are described as “special category data”.
We will not routinely ask for or record special category data but we may record details about your health if it is necessary and relevant for the management of the account(s) (e.g. so we can make reasonable adjustments to assist you in accessing and managing your account(s), which may include sending you information in braille or large print, or if we think you are experiencing circumstances which may lead you to be financially or otherwise vulnerable).
We will only do this if you have confirmed your explicit consent to us doing so, or where we are legally permitted or required to process this information without seeking your consent. Where we have obtained your consent to us processing special category data in this way, you are entitled to withdraw your consent to this at any time.
Please contact us if you wish to do so but that may affect our ability to manage your account in the most appropriate way for you. If you withdraw your consent, we will not continue to process this information for these purposes, but it will not impact the validity of any processing undertaken before you withdrew your consent.
HOW WE USE YOUR PERSONAL DATA
We will use your personal data to:
|consider your application for a savings or other account, to provide and administer the account and any other products and services you have or apply for with us
This will include to:
|identify and prevent financial crime
This will include to:
|comply with our legal, contractual and regulatory obligations, codes of practice and to run our business
This will include to:
|develop and improve our products and services
This will include to:
|undertake analysis, produce models, statistics, reports and forecasts
This will include to:
|investigate and respond to queries, complaints, disputes and where necessary to bring or defend legal claims
This will include to:
OW WE USE YOUR PERSONAL DATA TO MAKE AUTOMATED DECISIONS
Sometimes we may use your personal data to make an automated decision (applicable to certain products only). These help to ensure that our decisions are quick, fair and efficient based on the data we have about you. The type of automated decisions we may make are:
- to check whether you meet the conditions required to open the account you have applied for;
- to check your identity; or
- to decide whether we will offer additional products and services or the opportunity to vary existing products or services and the terms of any such products, services or variation.
These automated decisions may also take into account details of any products you already have with the OSB Group.
You may ask us not to make automated decisions about you by contacting our Data Protection Officer, or ask us to review any automated decision that we have made taking account of any additional information you wish to provide to us.
CALL RECORDING AND MONITORING
We may record and/or monitor telephone calls with you for the following purposes:
- for security, quality and/or training;
- to confirm that we have complied with your instructions;
- to resolve or investigate any queries, complaints or claims;
- to comply with our legal obligations, or
- to prevent fraud or other criminal activities.
Call monitoring may include the use of automated technology to help us assess the quality of our calls (for example by identifying, through key words, calls to be reviewed manually). No automated decisions are made through the use of call monitoring technology.
We may contact you about products or services offered by post, electronic mail, telephone, SMS text messaging and any other online or interactive media if, when we collected your personal data, you consented to receive marketing communications or in certain circumstances have not opted out of marketing communications.
You can ask us to stop or start sending you marketing messages at any time by contacting us. You can also unsubscribe from electronic marketing communications by using the ‘unsubscribe’ function.
THE LEGAL GROUNDS WE RELY ON TO PROCESS YOUR PERSONAL DATA
Data protection law requires that we meet certain conditions before we are allowed to use your data in the manner described in this privacy notice. We rely on the following legal grounds in order to process your data:
Processing of your data is necessary for the performance of a contract you are party to or to take steps at your request prior to entering into a contract
When you open an account with us, you enter into a legal contract under which we provide banking services to you. We require certain personal data in order to establish a contractual relationship. For example, you provide information about yourself in application forms, without which we would be unable to identify you or verify your suitability for the services requested.
Processing of your data is necessary for compliance with a legal obligation which we are subject to
We are required to process certain personal data in order to comply with our legal and regulatory obligations including UK anti-money laundering regulations, for the purposes of ongoing fraud detection and reporting and to ensure the fair treatment of vulnerable customers.
We have obtained your consent
We may process certain information where you have provided your consent for us to do so. For example, you may provide us with your explicit consent to process certain special category data such as health data (for example, to inform us about hearing difficulties) where this assists us in providing services to you.
Where we rely upon your consent in order to process your personal data you may withdraw this consent at any time.
We may also provide you with certain marketing information including third party services or products where you have provided your consent for us to do so.
Processing your data is necessary to protect your vital interests or the vital interests of another person.
In exceptional circumstances we may also process information where this is necessary to protect you or another person and where you are physically or legally incapable of providing consent.
Processing of your data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are outweighed by your interests, fundamental rights and freedoms
Personal data is processed where it is necessary for our legitimate interests including to help us manage our business and to analyse, assess and improve the viability and popularity of our products. It is also processed to enable us to respond to queries, complaints and for the establishment and defence of legal rights.
Personal data is shared with external Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FPAs).
THE LEGITIMATE INTERESTS BEING PURSUED BY US AND BY CRAS AND FPAS ARE:
Promoting responsible lending and helping to prevent over-indebtedness
“Responsible lending” means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. CRAs assist lenders to check that financial products are suitable, by providing personal data about potential borrowers, their financial associates where applicable, and their financial history.
Helping prevent and detect crime and fraud and anti-money laundering services and verify identity
CRAs and FPAs help lenders to comply with their legal and regulatory obligations and protect their businesses by providing identity, fraud detection / prevention and anti-money laundering services.
If it is determined that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the FPAs, and may result in others refusing to provide services, financing or employment to you.
You can contact us using the details below (see ‘Your rights’) to find out which CRAs and FPAs we share data with.
Supporting tracing and collections
CRAs provide services that support tracing and collections to recover debt, to reunite, or confirm an asset is connected with, the right person.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail from each of the three CRAs – any of these will also take you to the same Credit Reference Agency Information
- Experian: www.experian.co.uk/crain
- Equifax: www.equifax.co.uk/crain
- TransUnion: www.transunion.co.uk/crain
You should be aware that if you do not meet the obligations of any agreement with us, the availability of this information to credit reference agencies and therefore to other lenders may have a serious effect on your ability to obtain credit in the future.
WHO WE SHARE YOUR PERSONAL DATA WITH
We may share your personal information with any member of OSB Group, which means any subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We will only disclose your information to:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- providers of payment services such as Worldpay (privacy statement available on website);
- third party suppliers and service providers including providers of services in respect of anti-money laundering, fraud, verification, etc.;
- our affiliates and selected third parties so that they can contact you with details of the services that they provide, where you have opted-in/consented to the disclosure of your personal data for these purposes;
- providers of analytics that assist us in the improvement and optimisation of our services;
- any investor, potential investor, funder, purchaser in or of our business or any part of our business (including your mortgage) and their advisers;
- organisations involved in any finance transaction which we undertake or intend to;
- our regulators, law enforcement, credit reference agencies or fraud prevention agencies, as well as our legal advisors, courts any other authorised bodies including for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters, etc.;
- UK tax authorities, who may pass it on to other tax authorities in line with international agreements or treaties that may be in force tax authorities, who may pass it on to other tax authorities in line with international agreements or treaties that may be in force.
We may disclose your personal information to third parties:
- if you require us to;
- in the event that we consider selling or buying any business or assets, in which case we will disclose your personal data to any prospective sellers or buyers of such business or assets;
- if we, or substantially all of our assets, are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
- in the event of any insolvency situation (e.g. the administration or liquidation) of OSB GROUP PLC or any of its group entities;
- in order to enforce or apply our website or service terms;
- to protect the rights, property, or safety of us, our staff, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of staff and customer safety, crime prevention, fraud protection and credit risk reduction; and
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or regulatory requirements, or otherwise for the prevention or detection of fraud or crime.
KENT RELIANCE PROVIDENT SOCIETY
Where applicable, information about Kent Reliance customers is also processed by Kent Reliance Provident Society. Kent Reliance Provident Society Limited is an industrial and provident society registered in England and Wales (registered with number 31056R) and whose registered office is Reliance House, Sun Pier, Chatham, Kent ME4 4ET. Processing of limited personal data of members is carried out by the Kent Reliance Provident Society for membership purposes and to facilitate periodical prize draws.
WHERE PERSONAL DATA IS PROCESSED
Information which you provide to us is stored on our secure servers located in the UK. However, data that we collect from you may be also transferred to, or processed in, a destination outside the UK. In particular, we have operations centres in India which access and process data and we engage some third parties that may store or process personal data outside of the UK. Your personal data may also be processed by staff operating outside the UK who work for us or for one of our suppliers. This includes staff engaged in the processing of your payment details and the provision of support services.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice. In particular, when personal data is processed outside of the UK, we will make sure appropriate safeguards are in place, in accordance with legal requirements, to protect the data.
In all cases these safeguards will include one of the following:
- Sending the data to a country that’s been approved by the UK Government as having a suitably high standard of data protection law.
- Putting in place a contract with the recipient containing terms approved by the UK authorities as providing a suitable level of protection.
FPAs may also allow the transfer of your personal data outside of the UK. This may be to a country where the UK
Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the FPAs will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
HOW LONG PERSONAL DATA IS KEPT FOR
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected.
After that, we will anonymise or delete it. The retention period may vary depending on the purposes for which the information was collected.
Where a specific legal or regulatory requirement applies to your information we will retain it for at least the period of time specified in such legal or regulatory requirement. In the absence of a specific legal or regulatory requirement, we will usually retain your information for up to seven years following the end of your relationship with us or, in relation to certain mortgage lending, the closure of a specific mortgage account. However, we may occasionally be required to extend a retention period if the information is required for ongoing litigation, regulatory, tax or accounting purposes.
Please also note that FPAs can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
You have a number of rights under data protection law in relation to the way we process your personal data. These are set out below:
|Right to be informed
|A right to be informed about how we collect and use your personal data.
|Right of access
|A right to access personal data held by us about you.
|Right to rectification
|A right to require us to rectify any inaccurate personal data held by us about you.
|Right to erasure
|A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based solely on your consent; or where you object to the way we process your data (in line with the right to object below).
|Right to restrict processing
|In certain circumstances, a right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you still require the data for the purposes of dealing with legal claims.
|Right to data portability
|In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
|Right to object
|A right to object to our processing of personal data held by us about you in certain circumstances (including where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party). You also have the right to withdraw your consent, where we are relying on it to use your personal data; or ask us to ask us to stop processing your data for direct marketing purposes.
|Rights related to automated decision making including profiling
|In certain circumstances, a right not to be subject to a decision based solely on automated processing (without any human involvement), including profiling.
You may contact us using the details on our website (or by contacting our Data Protection team directly – details above) to exercise any of these rights. We will acknowledge, and normally action, a request received from you within one month from the date we receive the request. However, as outlined above some rights are restricted and we may not always be able to action your request.
If you have any concerns regarding our processing of your personal data, or are not satisfied with our handling of any request by you in relation to your rights, we would encourage you to contact us. You also have the right to make a complaint to the Information Commissioner’s Office (ICO):
First Contact Team Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Please call 0303 123 1113 or visit ico.org.uk/global/contact-us for up to date information on contacting the ICO.
SECURE ONLINE SERVICES
We use appropriate technical and organisational measures to protect the information we collect and process about you and our online services are provided using secure servers. We use Secure Sockets Layer (SSL) software to encrypt information, in order to protect your security.
We regularly review our systems and process to ensure our online services are provided using secure servers, however, no Internet transmission can ever be guaranteed 100% secure. We recommend that you install, use and maintain up-to-date anti-virus, firewall and anti-spyware software on your computer to better protect yourself.
You must ensure that you log out of your account at the end of an online session (where applicable) and never leave your computer unattended when logged in.
Cookies are small text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognise you when you revisit the website and to tailor your web browsing experience to your specific needs and interests. If you wish to restrict or block the cookies which are set by us, you can do this through your internet browser settings or the cookies preference management tool on the relevant website.
LINKS TO THIRD PARTY WEBSITES
Our websites may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that they have their own privacy notice and we do not accept any responsibility or liability in relation to third party websites. Please check the relevant privacy notice before you submit any data to these websites.
CHANGES TO OUR PRIVACY NOTICE
Financial Services Compensation Scheme
Your eligible deposits held by a UK establishment of Charter Savings Bank are protected up to a total of £85,000 by the Financial Services Compensation Scheme, the UK’s deposit protection scheme. Any deposits you hold above the limit are unlikely to be covered. Please click here for further information or visit www.fscs.org.uk.