Privacy Notice – Intermediaries
June 2023
INTRODUCTION
We take our obligations under data protection law very seriously and we’re committed to keeping your personal data secure.
Data Protection law, including the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR), imposes obligations on us as a “data controller” when we collect, hold, amend, share or otherwise use or erase/destroy (collectively referred to as “processing”) your personal data. It also gives you, as the “data subject”, rights over your personal data.
One such obligation is to process your personal data fairly, lawfully and in a transparent manner. This privacy notice is designed to help you understand what personal data we hold, why it is required, and how it is used. It also sets out some of your legal rights.
ABOUT US
OSB GROUP PLC is the London Stock Exchange listed entity and parent company for a specialist lending and retail savings group of companies (OSB Group) including OneSavings Bank plc and Charter Court Financial Services Limited, which are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
In this privacy notice, the terms “we”, “our”, and “us” are used to refer to the relevant subsidiary/trading name and “data controller” for your personal data or, where applicable, to the OSB Group. Subsidiaries and our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, may change from time to time and references to the OSB Group include successors in title and any other person who is for the time being entitled at law to the benefit of the mortgage or loan product. Subsidiaries and trading names in the OSB Group include:
- 5D Finance Limited
- Broadlands Finance Limited
- Charter Court Financial Services Group PLC
- Charter Court Financial Services Limited
- Charter Mortgages Limited
- Exact Mortgage Experts Limited
- Guernsey Home Loans Limited
- Heritable Development Finance Limited
- Interbay Asset Finance Limited
- Interbay Funding Limited
- Interbay ML Limited
- Jersey Home Loans Limited
- Kent Reliance
- Kent Reliance Property Loans
- OneSavings Bank PLC
- Precise Mortgages
- Prestige Finance Limited
- Reliance Property Loans Limited
- Rochester Mortgages Limited
We respect your right to privacy. If you have any questions or concerns about how we use your information, our Data Protection team will be happy to assist you. Please write to:
Group Data Protection Officer
OSB GROUP PLC
OSB House, Quayside, Chatham Maritime, ME4 4QZ
Alternatively, you can email us at: [email protected]
Please read the following carefully to understand our practices regarding your personal data and how it is processed.
WHO THIS PRIVACY NOTICE APPLIES TO
This privacy notice explains how we will use the personal data of employees and representatives of mortgage intermediaries and mortgage intermediaries which are sole traders operating in their own name and not, for example, through a limited company. Each such person is referred to as “you” and “your” in this privacy notice. Mortgage intermediaries include:
- firms providing mortgage advice or information on loans and mortgages to our borrowers or potential borrowers (Mortgage Advisers)
- firms operating as a mortgage club of which a Mortgage Adviser is a member (Mortgage Club)
- firms with a network of appointed representatives (Networks)
- firms providing services to Mortgage Advisers, Networks and Mortgage Clubs which includes distributing our products or submitting applications to us on their behalf (Packagers)
- firms which package secured second charge mortgage loan applications on our behalf (Master Brokers).
Those words in brackets have the meanings above in this privacy notice and:
“Mortgage Business” means the business of and activities involved in you introducing borrowers to us in relation to our products and related matters including the submission of applications to us, requests for decisions in principle, requests for variations to existing loans and informal enquiries you make as to potential borrowers’ eligibility for a loan or a mortgage.
“Connected Firms” means firms connected with you, the firm which employs you or you represent, it’s or your Network or Mortgage Club and any Packager it or you use.
HOW WE OBTAIN PERSONAL DETAILS
We will receive personal data about you from a variety of sources including from:
- you;
- your employees/employer and representatives;
- Connected Firms;
- from borrowers and potential borrowers from us;
- your representatives or advisers,
- fraud prevention agencies;
- solicitors and persons working on our behalf;
- market researchers;
- law enforcement agencies, and
- other companies within the OSB Group.
We will also generate personal data about you during the course of receiving Mortgage Business and managing our relationship with you and Connected Firms. We may also obtain data about you that is publicly available such as from the Electoral Register, the Internet and Companies House.
THE TYPES OF PERSONAL DATA WE USE
We may process a wide variety of data about you, where necessary, for the purposes set out in the “How we use your personal data” section, including data about:
You as an individual |
|
Information identifying you |
|
Connected Firms |
|
Payment details | Bank account details (account name, number and sort code) for the payment of fees due |
the Mortgage Business you have submitted to us |
|
Your preferences | Whether you wish to receive marketing from us |
Your technology | Device identifiers including IP address |
Your profile and relationship with us |
|
SPECIAL CATEGORY DATA
Some personal data for example data about your health, racial or ethnic origin is subject to additional rights and are described as special category data. We will not normally ask for or record any special category data.
We will only do this if you have confirmed you consent to us doing so, or where we are legally permitted or required to process this information without seeking your consent. You are not contractually required to provide this information, and it will not impact on the functioning of any relationship between us. Where we have obtained your consent to us processing special category data you are entitled to withdraw your consent to our processing of this information at any time and you should contact us to do that.
HOW WE USE YOUR PERSONAL DATA
We use information held about you in the following ways:
Process the Mortgage Business that you submit to us or are submitted to us on your behalf and to administer any loans we subsequently make |
This will include to:
|
Manage and build our relationship with you and Connected Firms |
This will include to:
|
Identify and prevent financial crime |
This will include to:
|
Comply with our legal, contractual and regulatory obligations, codes of practice and to run our business |
|
Develop and improve our products and services |
This will include to:
|
Undertake analysis, produce models, statistics, reports and forecasts |
This will include to:
|
To investigate and respond to complaints, disputes and where necessary to bring or defend legal claims |
This will include to:
|
HOW WE USE YOUR PERSONAL DATA TO MAKE AUTOMATED DECISIONS
Sometimes we may use your personal data to make an automated decision (applicable in certain circumstances only). These help to ensure that our decisions are quick, fair and efficient based on the personal data we have about you. The type of automated decisions we make are about how we manage our relationship with you and Connected Firms. For example, which products and services we offer which we think may be of interest to you or Connected Firms.
These automated decisions may also take into account details of any products you already have procured for your clients with members of OSB Group.
You may ask us not to make automated decisions about you by contacting our Data Protection Officer, or ask us to review any automated decision that we have made taking account of any additional information you wish to provide to us.
CALL RECORDING
We may record and/or monitor telephone calls with you for the following purposes:
- For security, quality and/or training purposes;
- To confirm that we have complied with your instructions;
- To resolve or investigate any queries;
- To comply with our legal obligations, or
- To prevent fraud or other criminal activities.
MARKETING
We may contact you about products or services offered by post, electronic mail, telephone, SMS text messaging and any other online or interactive media if, when we collected your personal data, you consented to receive marketing communications or in certain circumstances have not opted out of marketing communications.
You can ask us to stop or start sending you marketing messages at any time by contacting us. You can also unsubscribe from electronic marketing communications by using the ‘unsubscribe’ function.
THE LEGAL GROUNDS WE RELY ON TO PROCESS YOUR PERSONAL DATA
Data protection laws require that we meet certain conditions before we are allowed to use your data in the manner described in this privacy notice. We rely on the following legal grounds in order to process your data:
We have obtained your consent
- We may process certain information where you have provided your consent for us to do so. For example, you may provide us with your explicit consent to process certain special category data such as health data (for example, to inform us about hearing difficulties) where this assists in managing our relationship with you.
- Where we rely upon your consent in order to process your personal data you may withdraw this consent at any time.
- We may also provide you with certain marketing information including third party services or products where you have provided your consent for us to do so.
Processing of your data is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are outweighed by your interests, fundamental rights and freedoms
- Personal data is processed where it is necessary for our legitimate interests including to help us manage our business and to analyse, assess and improve the viability and popularity of our products. It is also processed to enable us to respond to queries, complaints and for the establishment and defence of legal rights.
Processing of your data is necessary for compliance with a legal obligation which we are subject to
- We are required to process certain personal data in order to comply with our legal and regulatory obligations including UK anti-money laundering regulations, for the purposes of ongoing fraud detection and reporting and to ensure the fair treatment of vulnerable customers.
WHO WE SHARE YOUR PERSONAL DATA WITH
We may share your personal information with any member of OSB Group, which means any subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We will only disclose your information to:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- our affiliates and selected third parties, where you have consented to receiving marketing from us/third parties;
- third party suppliers, service providers and/or legal advisers to the extent they assist us with our legal/regulatory obligations;
- selected third parties so that they can contact you with details of the services that they provide, where you have expressly opted-in/consented to the disclosure of your personal data for these purposes;
- analytics and search engine providers that assist us in the improvement and optimisation of our site and other selected third parties;
- any investor, potential investor, funder, purchaser in or of our business or any part of our business and their advisers;
- our regulators, law enforcement bodies, credit reference agencies, fraud prevention agencies, the courts or any other authorised bodies, to the extent that we are legally required to.
We may disclose your personal information to third parties:
- if you require us to;
- in the event that we consider selling or buying any business or assets, in which case we may disclose your personal data to any prospective sellers or buyers of such business or assets;
- if we, or substantially all of our assets, are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
- in the event of any insolvency situation (e.g. the administration or liquidation) of OSB GROUP PLC or any of its group entities;
- in order to enforce or apply our website or service terms;
- to protect the rights, property, or safety of us, our staff, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of staff and customer safety, crime prevention, fraud protection and credit risk reduction; and
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or regulatory requirements, or otherwise for the prevention or detection of fraud or crime.
WHERE PERSONAL DATA IS PROCESSED
Information which you provide to us is stored on our secure servers located in the UK. However, data that we collect from you may be also transferred to, or processed in, a destination outside the UK. In particular, we have operations centres in India which access and process data and we engage some third parties that may store or process personal data outside of the UK. Your personal data may also be processed by staff operating outside the UK who work for us or for one of our suppliers. This includes staff engaged in the processing of your payment details and the provision of support services.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice. In particular, when personal data is processed outside of the UK, we will make sure appropriate safeguards are in place, in accordance with legal requirements, to protect the data.
In all cases these safeguards will include one of the following:
- Sending the data to a country that’s been approved by the UK Government as having a suitably high standard of data protection law.
- Putting in place a contract with the recipient containing terms approved by the UK authorities as providing a suitable level of protection.
HOW LONG IS YOUR DATA KEPT FOR
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will anonymise or delete it. The retention period may vary depending on the purposes for which the information was collected.
Where a specific legal or regulatory requirement applies to your information we will retain it for at least the period of time specified in such legal or regulatory requirement. In the absence of a specific legal or regulatory requirement, we will usually retain your information for up to seven years. The legal limitation period for bringing legal claims is six years where the claim arises from a simple contract.
YOUR RIGHTS
You have a number of rights under data protection law in relation to the way we process your personal data. These are set out below:
Right | Description |
Right to be informed | A right to be informed about how we collect and use your personal data. |
Right of access | A right to access personal data held by us about you |
Right to rectification | A right to require us to rectify any inaccurate personal data held by us about you. |
Right to erasure | A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based solely on your consent; or where you object to the way we process your data (in line with the right to object below). |
Right to restrict Processing | In certain circumstances, a right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you still require the data for the purposes of dealing with legal claims. |
Right to data portability | In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request. |
Right to object | A right to object to our processing of personal data held by us about you in certain circumstances (including where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party). You also have the right to withdraw your consent, where we are relying on it to use your personal data; or ask us to ask us to stop processing your data for direct marketing purposes. |
Rights related to automated decision making including profiling | In certain circumstances, a right not to be subject to a decision based solely on automated processing (without any human involvement), including profiling. |
You may contact us using the details on our website (or by contacting our Data Protection team directly – details above) to exercise any of these rights. We will acknowledge, and normally action, a request received from you within one month from the date we receive the request. However, as outlined above some rights are restricted and we may not always be able to action your request.
If you have any concerns regarding our processing of your personal data, or are not satisfied with our handling of any request by you in relation to your rights, we would encourage you to contact us. You also have the right to make a complaint to the Information Commissioner’s Office (ICO):
First Contact Team
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Please call 0303 123 1113 or visit ico.org.uk/global/contact-us for up to date information on contacting the ICO.
SECURE ONLINE SERVICES
We use appropriate technical and organisational measures to protect the information we collect and process about you and our online services are provided using secure servers. We use Secure Sockets Layer (SSL) software to encrypt information, in order to protect your security.
We regularly review our systems and process to ensure our online services are provided using secure servers, however, no Internet transmission can ever be guaranteed 100% secure. We recommend that you install, use and maintain up-to-date anti-virus, firewall and anti-spyware software on your computer to better protect yourself.
You must ensure that you log out of your account at the end of an online session (where applicable) and never leave your computer unattended when logged in.
USE OF COOKIES
Cookies are small text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognise you when you revisit the website and to tailor your web browsing experience to your specific needs and interests. If you wish to restrict or block the cookies which are set by us, you can do this through your internet browser settings or the cookies preference management tool on the relevant website.
Further information about our use of cookies can be found on each website.
LINKS TO THIRD PARTY WEBSITES
Our websites may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that they have their own privacy notice and we do not accept any responsibility or liability in relation to third party websites. Please check the relevant privacy notice before you submit any data to these websites.
CHANGES TO OUR PRIVACY NOTICE
We may update this privacy notice from time to time. Any changes we may make in the future will be posted on our websites and we recommend that you revisit the Privacy Policy page from time to time to stay informed about how we use your information.