We take our obligations under data protection law very seriously and we’re committed to keeping your personal data secure. Data Protection law, including the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR), imposes obligations on us as a “data controller” when we collect, hold, amend, share or otherwise use or erase/destroy (collectively referred to as “processing”) your personal data. It also gives you, as the “data subject”, rights over your personal data.
One such obligation is to process your personal data fairly, lawfully and in a transparent manner. This privacy notice is designed to help you understand what personal data we hold, why it is required, and how it is used. It also sets out some of your legal rights.
OSB GROUP PLC is the London Stock Exchange listed entity and parent company for a specialist lending and retail savings group of companies (OSB Group) including OneSavings Bank plc and Charter Court Financial Services Limited, which are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
In this privacy notice, the terms “we”, “our”, and “us” are used to refer to the relevant subsidiary/trading name and “data controller” for your personal data or, where applicable, to the OSB Group. Subsidiaries and our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, may change from time to time and references to the OSB Group include successors in title and any other person who is for the time being entitled at law to the benefit of the mortgage or loan product. Subsidiaries and trading names in the OSB Group include:
We respect your right to privacy. If you have any questions or concerns about how we use your information, our Data Protection team will be happy to assist you. Please write to:
Group Data Protection Officer
OSB GROUP PLC
Alternatively, you can email us at: [email protected]
Please read the following carefully to understand our practices regarding your personal data and how it is processed.
This privacy notice explains how we will use the personal data of:
Each such person is referred to as “you” and “your” in this privacy notice.
We will receive personal data about you from a variety of sources including from you, other applicants, a mortgage intermediary acting for you, other persons who represent or advise you, your bank or building society, your employer and former employers, credit reference agencies, fraud prevention agencies, solicitors, valuers, persons working on our behalf, market researchers, local and national government, tax and law enforcement agencies and other companies within OSB Group. We may also obtain data about you that is publicly available such as from the electoral register, the internet, Companies House and the Land Registry.
We will also create personal data about you during the course of an application for a loan and the administration of any loan you have with us.
We may process a wide variety of data about you, where necessary, for the purposes set out in the “How We Use Your Data” section, including data about:
|you as an individual||
|people connected to you||
|your finances and the finances of any business you own or run||
|your accounts, products and services you have with us||
|your communication preferences||
|your correspondence and documents we hold||
|the results of checks we are required by law to undertake and any relevant criminal convictions||
Some personal data for example data about your health, racial or ethnic origin is subject to additional rights and are described as “special category data”.
We will not routinely ask for or record special category data but we may record details about your health if it is necessary and relevant for the management of the account (e.g. so we can make reasonable adjustments to assist you in accessing and managing your account(s), which may include sending you information in braille or large print, or if we think you are experiencing circumstances which may lead you to be financially or otherwise vulnerable).
We will only do this if you have confirmed your explicit consent to us doing so, or where we are legally permitted or required to process this information without seeking your consent. Where we have obtained your consent to us processing special category data in this way, you are entitled to withdraw your consent to this at any time. Please contact us if you wish to do so but that may affect our ability to manage your account in the most appropriate way for you. If you withdraw your consent, we will not continue to process this information for these purposes, but it will not impact the validity of any processing undertaken before you withdrew your consent.
We will use your personal data to:
|consider your application for a loan or decision in principle||
This will include to:
|manage our relationship with you, provide and administer the loan and other products and services you have with us||
This will include to:
|ensure that we have the information we need to consider your application or decision in principle and administer the account and ensure that other persons have the information they reasonably need||
This will include to:
|identify and prevent financial crime||
This will include to:
|comply with our legal, contractual and regulatory obligations, codes of practice and to run our business||
This will include to:
|develop and improve our products and services||
This will include to:
|undertake analysis, produce models, statistics, reports and forecasts||
This will include to:
|investigate and respond to queries, complaints, disputes and where necessary to bring or defend legal claims||
This will include to:
Sometimes we may use your personal data to make an automated decision (applicable to certain products only). These help to ensure that our decisions are quick, fair and efficient based on the data we have about you including data we receive from credit reference and fraud prevention agencies. The type of automated decisions we may make are:
These automated decisions may also take into account details of any products you already have with OSB Group and/or any assessment of your financial status and risks we have undertaken.
You may ask us not to make automated decisions about you by contacting our Data Protection Officer, or ask us to review any automated decision that we have made taking account of any additional information you wish to provide to us.
We may record and/or monitor telephone calls with you for the following purposes:
to prevent fraud or other criminal activities.
Call monitoring may include the use of automated technology to help us assess the quality of our calls (for example by identifying, through key words, calls to be reviewed manually). No automated decisions are made through the use of call monitoring technology.
We may contact you about products or services offered by post, electronic mail, telephone, SMS text messaging and any other online or interactive media if, when we collected your personal data, you consented to receive marketing communications or in certain circumstances have not opted out of marketing communications. You can ask us to stop or start sending you marketing messages at any time by contacting us. You can also unsubscribe from electronic marketing communications by using the ‘unsubscribe’ function.
Data protection law requires that we meet certain conditions before we are allowed to use your data in the manner described in this privacy notice. We rely on the following legal grounds in order to process your data:
When you open an account with us, you enter into a legal contract under which we provide mortgages or loans to you. We require certain personal data in order to establish a contractual relationship. For example, you provide information about yourself in application forms, without which we would be unable to identify you.
We are required to process certain personal data in order to comply with our legal and regulatory obligations including UK anti-money laundering regulations, for the purposes of ongoing fraud detection and reporting and to ensure the fair treatment of vulnerable customers.
We may process certain information where you have provided your consent for us to do so. For example, you may provide us with your explicit consent to process certain special category data such as health data (for example, to inform us about hearing difficulties) where this assists us in providing services to you.
Where we rely upon your consent in order to process your personal data you may withdraw this consent at any time.
We may also provide you with certain marketing information including third party services or products where you have provided your consent for us to do so.
In exceptional circumstances we may also process information where this is necessary to protect you or another person and where you are physically or legally incapable of providing consent.
Personal data is processed where it is necessary for our legitimate interests including to help us manage our business and to analyse, assess and improve the viability and popularity of our products. It is also processed to enable us to respond to queries, complaints and for the establishment and defence of legal rights.
Personal data is shared with external Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FPAs).
The legitimate interests being pursued by us and by CRAs and FPAs are:
“Responsible lending” means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. CRAs assist lenders to check that financial products are suitable, by providing personal data about potential borrowers, their financial associates where applicable, and their financial history.
CRAs and FPAs help lenders to comply with their legal and regulatory obligations and protect their businesses by providing identity, fraud detection / prevention and anti-money laundering services.
If it is determined that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the FPAs, and may result in others refusing to provide services, financing or employment to you.
You can contact us using the details below (see ‘Your rights’) to find out which CRAs and FPAs we share data with.
CRAs provide services that support tracing and collections to recover debt, to reunite, or confirm an asset is connected with, the right person.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail from each of the three CRAs – any of these will also take you to the same Credit Reference Agency Information Notice (CRAIN):
You should be aware that if you do not meet the obligations of any agreement with us, the availability of this information to credit reference agencies and therefore to other lenders may have a serious effect on your ability to obtain credit in the future.
We may share your personal information with any member of OSB Group, which means any subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We will only disclose your information to:
Where applicable, information about Kent Reliance customers is also processed by Kent Reliance Provident Society. Kent Reliance Provident Society Limited is an industrial and provident society registered in England and Wales (registered with number 31056R) and whose registered office is Reliance House, Sun Pier, Chatham, Kent ME4 4ET. Processing of limited personal data of members is carried out by the Kent Reliance Provident Society for membership purposes and to facilitate periodical prize draws.
Information which you provide to us is stored on our secure servers located in the UK. However, data that we collect from you may be also transferred to, or processed in, a destination outside the UK. In particular, we have operations centres in India which access and process data and we engage some third parties that may store or process personal data outside of the UK. Your personal data may also be processed by staff operating outside the UK who work for us or for one of our suppliers.
This includes staff engaged in the processing of your payment details and the provision of support services. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice. In particular, when personal data is processed outside of the UK, we will make sure appropriate safeguards are in place, in accordance with legal requirements, to protect the data.
In all cases these safeguards will include one of the following:
FPAs may also allow the transfer of your personal data outside of the UK. This may be to a country where the UK
Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the FPAs will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected.
After that, we will anonymise or delete it. The retention period may vary depending on the purposes for which the information was collected.
Where a specific legal or regulatory requirement applies to your information we will retain it for at least the period of time specified in such legal or regulatory requirement. In the absence of a specific legal or regulatory requirement, we will usually retain your information for up to seven years following the end of your relationship with us or, in relation to certain mortgage lending, the closure of a specific mortgage account. However, we may occasionally be required to extend a retention period if the information is required for ongoing litigation, regulatory, tax or accounting purposes.
Please also note that FPAs can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
You have a number of rights under data protection law in relation to the way we process your personal data.
These are set out below:
|Right to be informed||A right to be informed about how we collect and use your personal data.|
|Right of access||A right to access personal data held by us about you.|
|Right to rectification||A right to require us to rectify any inaccurate personal data held by us about you.|
|Right to erasure||A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based solely on your consent; or where you object to the way we process your data (in line with the right to object below).|
|Right to restrict processing||In certain circumstances, a right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you still require the data for the purposes of dealing with legal claims.|
|Right to data portability||In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.|
|Right to object||A right to object to our processing of personal data held by us about you in certain circumstances (including where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party). You also have the right to withdraw your consent, where we are relying on it to use your personal data; or ask us to ask us to stop processing your data for direct marketing purposes.|
|Rights related to automated decision making including profiling||In certain circumstances, a right not to be subject to a decision based solely on automated processing (without any human involvement), including profiling.|
You may contact us using the details on our website (or by contacting our Data Protection team directly – details above) to exercise any of these rights. We will acknowledge, and normally action, a request received from you within one month from the date we receive the request. However, as outlined above some rights are restricted and we may not always be able to action your request.
If you have any concerns regarding our processing of your personal data, or are not satisfied with our handling of any request by you in relation to your rights, we would encourage you to contact us. You also have the right to make a complaint to the Information Commissioner’s Office (ICO):
First Contact Team
Information Commissioner’s Office
Please call 0303 123 1113 or visit ico.org.uk/global/contact-us for up to date information on contacting the ICO.
We use appropriate technical and organisational measures to protect the information we collect and process about you and our online services are provided using secure servers. We use Secure Sockets Layer (SSL) software to encrypt information, in order to protect your security.
We regularly review our systems and process to ensure our online services are provided using secure servers, however, no Internet transmission can ever be guaranteed 100% secure. We recommend that you install, use and maintain up-to-date anti-virus, firewall and anti-spyware software on your computer to better protect yourself.
You must ensure that you log out of your account at the end of an online session (where applicable) and never leave your computer unattended when logged in.
Cookies are small text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognise you when you revisit the website and to tailor your web browsing experience to your specific needs and interests. If you wish to restrict or block the cookies which are set by us, you can do this through your internet browser settings or the cookies preference management tool on the relevant website.
Our websites may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that they have their own privacy notice and we do not accept any responsibility or liability in relation to third party websites. Please check the relevant privacy notice before you submit any data to these websites.