Privacy Notice

We need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right.

Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening.

For some roles, for example: non-executive directors and executive committee members, we also complete a directorship check.

If you become an employee, our employee privacy notice will then apply.

Data Subjects: Job Applicants.

Art. 6(1)(b) performance of a contract

Art. 6(1)(e) public task

Art. 6(1)(e) to comply with legal obligations of the Equality Act 2010

Art. 9(2)(b) and the Data Protection Act 2018 Schedule 1, Part 1(1) for special category data relating to our employment obligations

Art. 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information.

We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. We may also need documentation from you or the relevant Delivery Partner, to enable us to verify your identity.

Data Subjects: Funding Applicants, Delivery Partners, Funding Recipients, business contacts, Service Providers, general public.

We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. We may also need documentation from you or the relevant Delivery Partner, to enable us to verify your identity.

Data Subjects: requestors.

We may need your name, organisation and contact details to book your place or attendance to an event or workshop.

Where we chair panels or host events, we may ask guest speakers or participants to provide us with a short biography to include in programme materials. 

When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you direct marketing.

We always try to tell you of our intention when we collect the information, and you can unsubscribe at any time from any direct marketing (see Section 8 below).

When we organise events, we may take photographs or video recordings at the venue. We will always tell you of our intention to create photos/videos and give you the option to opt out of being photographed or filmed. These photos/videos and other Personal Data (such as names) may be used on the Bank’s webpage, social media channels, mailers or in printed/electronic reports we publish. These photos/videos may also be shared with and used by our official event partners.

Data Subjects: business contacts, Delivery Partners, Funding Applicants, Funding Recipients, Service Providers.

Art. 6(1)(a) consent

Art. 6(1)(e) public task

We usually need your name and contact details, especially if you want us to share the results with you.

Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions and special category Personal Data, such as gender and ethnicity.

Data Subjects: business contacts, Delivery Partners, Funding Applicants, Funding Recipients, Service Providers.

Art. 6(1)(a) consent

Art. 6(1)(e) public task

Art. 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, for one or more specified purposes.

We usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters.

You can unsubscribe at any time from any direct marketing (see Section 8 below).

Data Subjects: business contacts, Delivery Partners, Funding Applicants, Funding Recipients, Service Providers, general public.

We need your Personal Data (such as name, contact details and photos) to develop case studies about your/your company’s experience of one or more of our Programmes.

Data Subjects: business contacts, Delivery Partners, Funding Recipients, Service Providers.

Most of our debt, equity and guarantee Programmes are delivered to businesses through third party Delivery Partners.

In the event we engage with prospective Delivery Partners who provide Personal Data (such as names, titles, contact information and business addresses) to us, such information may be stored and shared internally for the purpose of reporting activity.

Applying to be a Delivery Partner

To become a Delivery Partner, you are required to express an interest and go through a selection and accreditation process.

We need as a minimum, information about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

We use the information provided to assess your application, carry out Due Diligence (see ‘Know Your Customer/ Due Diligence’ below) and to complete relevant procurement contracts.

Throughout the course of the Bank’s relationship with Delivery Partners

With respect to Programmes that are delivered to businesses through fund managers, we process the Personal Data of such fund managers throughout our relationship with them (such as their names and contact details) in order to contact them, to monitor usage of relevant web portals, to provide information to strategic oversight / advisory boards and to satisfy KYC/AML processes.

We also collect information in respect of gender and diversity of fund managers and investee companies.

Data Subjects: prospective Delivery Partners, Delivery Partners, business contacts.

Art. 6(1)(a) consent

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment.

When you express an interest and/or apply for one of our Programmes, we will process your Personal Data (e.g., your name, address, contact details, company name and role). The contact details submitted by a Funding Applicant will be used to get in touch with them regarding their application. Should you progress to the due diligence stage, we will process further Personal Data as set out in “Know Your Customer/ Due Diligence” below.

As part of the application process for certain Programmes, the Bank commissioned Cifas to create and host a database to enable Delivery Partners to check for duplicate applications and update the status of a loan application to help prevent fraud. Cifas is a not-for-profit fraud prevention service that aims to detect, deter, and prevent fraud.

Additional public body or law enforcement information is added to the Cifas duplicate account database where it is deemed appropriate for counter-fraud purposes. The Bank may share the Cifas data with UK Government departments, Delivery Partners, Service Providers and law enforcement agencies to help prevent and detect crime and apprehend and prosecute offenders and carry out, where appropriate fraud analytics (see section 7.5 below).

Data Subjects: Funding Applicants, prospective Funding Recipients, Delivery Partners, Service Providers, business contacts.

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation

Delivery Partners collect information from successful Funding Applicants for the purpose of managing the relevant Programme and a subset of such information is provided to the Bank. Such Personal Data collected may include names, any trading names, registered addresses/addresses, postcodes, company registration numbers, type of business and turnover, which in the case of sole traders, is likely to constitute Personal Data.

The Bank may use information received from Delivery Partners for analytical and administrative purposes, to contact or make enquiries about a Funding Applicant/Funding Recipient, for fraud prevention or in response to law enforcement requests. Further, the Bank may share such information with the UK Government (including DBT), the European Commission or other state, supranational or public body any of the Bank’s affiliates, advisers, agents or supplierrs including professional advisers, auditors and consultants, processing agents, Delivery Partners and Service Providers of the Bank and its affiliates, UK Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and DBT) and other politicians or government members (i.e. ministers).

Where required, details of any finance awarded under the relevant Programme (Funding Recipient details and loan amount, for example) will be shared with the European Commission and/or the UK Government and published on the Subsidy Control and/or State aid databases (see sections 7.8 - 7.10).

Data Subjects: Funding Recipients, Delivery Partners, business contacts.

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation

We will process your Personal Data when you express an interest in one of our Programmes (e.g. your name, contact details, company name, and role).

If you proceed to the formal proposal and due diligence stages, we will also need to process information about your fund and fund management company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. partners, lead contacts, directors, shareholders/ ownership structures, and individuals with a controlling interest).

At proposal stage, we will carry out KYC checks (See the Know Your Customer Due Diligence section below).

Additionally, we may request business contact details for the senior management of companies as part of the process to obtain references about prospective fund managers, and the other limited partners.

We also collect information in respect of gender and diversity of our fund managers and investee companies. We will continue to process information throughout our relationship with the fund manager, which will include Personal Data.

Data Subjects: company representatives, directors, beneficial owners

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation to protect public money under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended)

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

 British Business Bank plc and its subsidiaries are not banking institutions and do not operate as such. With the exception of BBB Investment Services Limited, they are not authorised or regulated by the Prudential Regulation Authority or the Financial Conduct Authority. BBB Investment Services Limited is authorised and regulated by the Financial Conduct Authority. British Business Investments Ltd and British Patient Capital Limited are supervised by the FCA for anti-money laundering purposes only.

The Due Diligence process for our different Programmes with respect to Funding Applicants and Delivery Partners may vary. Generally, we will use names, ID and address documentation, dates of birth and, where relevant, publicly available information and / or proprietary databases to obtain information about Funding Applicants and their key personnel (such as directors and beneficial owners) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism, and anti-money laundering measures.

Additionally, we may request business contact details for senior management of companies in other portfolios as part of the process to obtain references about prospective fund managers, and the other limited partners in a funding round.

We also collect information in respect of gender and diversity of our fund managers and investee companies.

Data Subjects: prospective Delivery Partners, prospective Funding Recipients, company representatives, directors, beneficial owners, sole traders, job applicants.

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation to protect public money under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

In monitoring investment opportunities and the performance of our Programmes and portfolios, we will process Personal Information (such as names, contact details, employment history, nationality, business names and related details, beneficial ownership information, home address, address documentation, salary, bank account details and source of funds) related to Funding Recipients, Delivery Partners, investors, fund managers, investee companies and potential investee companies.

We may provide Personal Data (such as the name, contact details address and identification documents of a Funding Recipient and/or its representatives) to Service Providers (including those who are responsible for contacting the foregoing to recover outstanding debt and/or investigate an insolvency and research companies undertaking market research and economic evaluations on our behalf) and to UK Government agencies as part of regular reporting.

We may carry out due diligence using publicly available information and/or proprietary databases in order to obtain information about Funding Recipients and their key personnel and may use such information to monitor risks related to the relevant Programme. We may also use publicly available information and/or proprietary databases to assess programme performance.

We also manage legacy direct investments, where the shareholdings have transferred to us, and we will continue to process all the relevant information for the life of the investment.

Data Subjects: Funding Recipients, Delivery Partners, investors, fund managers, investee companies, potential investee companies, partnerships, business contacts.

Art. 6(1)(c) legal obligation

Art. 6(1)(e) public task

The Bank is committed to the Investing in Women Code and related activities to support the advancement of female entrepreneurship.

The Bank supports the Code by hosting the online form that organisations use to apply to commit to the Code. The online form captures the personal data of the organisation’s representative who will act as a lead contact. The Personal Data includes the contact’s name, job title, email address and telephone number as well as the name and address of the organisation they represent. Similar Personal Data is also captured of individuals attending Emerging Female Investor Office Hours. Details of female entrepreneurs are also captured on application forms that are reviewed by our Invest in Women Committee.

The details submitted via the online form are shared with DBT which administers the Code and their privacy notice is available at great.gov.uk/privacy-and-cookies/. DBT shares information with the Bank regarding the Code’s take up to help analyse trends in lending and investments to women entrepreneurs, but the information is aggregated and does not identify any individuals.

Data Subjects: business contacts, individual subscribers.

We may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes.

The Personal Data processed will vary according to the specific activity but will always be the minimum necessary.

Data Subjects: Funding Recipients, Delivery Partners, Service Providers, business contacts, employees.

Art. 6(1)(c) legal obligation

Art. 6(1)(e) public task

We process Personal Data (such as names and contact details) every day to deliver our services, which includes complying with our policies; communicating with employees, internal committees and stakeholders, managing our employees and Service Providers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions.

The Personal Data processed will vary according to the specific activity but will be the minimum necessary.

Data Subjects: Funding Applicants, Funding Recipients, Delivery Partners, business contacts, employees, Service Providers.

Art. 6(1)(c) legal obligation

Art. 6(1)(e) public task

We collect details of your visits to our websites and the resources that you access (which may include, amongst other things; traffic data and communication data) for the purpose of improving our website performance, system administration and to evaluate use of our websites.

The British Business Bank website is the parent website, but we also have websites for

The Start-Up Loans Company

Future Fund

Northern Powerhouse Investment Fund

Midlands Engine Investment Fund

Cornwall and Isles of Scilly Investment Fund

We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in the cookie policy linked in the footer of each of our websites.

Data Subjects: website users.

We may commission market research to better understand the finance markets or how our Programmes have been received, the impact they are making or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality.

We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results.

On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation.

Data Subjects: Funding Recipients, Delivery Partners, business contacts, employees, Service Providers.

We analyse the data we hold to report on performance, forecast trends, and help inform our decision making.

The analysis will include personal data, for example when processing the data held about our Programmes, for example the names and registered addresses of sole traders, limited partnerships, fund managers, but also unique reference numbers such as company reference number that may allow persons associated with the company to be identified.

We also process special category data to help us understand the gender and ethnicity make up of our fund managers and Delivery Partners, to report to and contact signatories of the Investing in Women Code and to monitor the meeting of the Bank’s environmental, social and governance objectives.

We aim to use the minimum personal data necessary in our analysis and, where possible, report aggregated data.

We also import data from Companies House and the Office for National Statistics (ONS) for the purpose of enriching the information we have about the beneficiary companies supported through the various debt/equity and guarantee funds. This data includes Personal Data in the form of sole trader names and registered addresses. The use of Companies House data allows us to identify incorporation date and company status. The use of ONS data and beneficiary company postcode allows us to identify the corresponding Region, District, Constituency and Electoral ward which is then used to represent geospatial demographics.

In addition, for certain Programmes, the Bank has commissioned third parties to carry out data analytics for estimated credit losses or potential fraud, which involves the processing of Personal Data.

Data Subjects: Funding Recipients, Delivery Partners, business contacts.

Art. 6(1)(e) public task

Processing diversity information under Art.9(2)(g) substantial public interest

We have CCTV cameras in the Sheffield and London office areas, primarily at access points, such as the entrances and exits to the premises and in certain restricted areas.

The cameras process the images of individuals (no audio recordings).

The cameras are in place for the personal safety of our staff and visitors to our sites, to assist in identifying, apprehending, and prosecuting any offenders on our premises, to protect the Bank’s buildings and assets and those of its staff from intrusion, theft, vandalism, damage, or disruption, and may also be used to assist in grievances, formal complaints and investigations, and for the defence of the Bank or its employees with regards to legal or insurance claims.

CCTV recordings are held for 30 days before being automatically overwritten.

Data Subjects: employees, visitors, Service Providers’ representatives.

We may process the Personal Data of Delivery Partners, Service Providers and/or other third parties who provide their consent for their Personal Data (e.g., names, addresses and business details) to be published on one or more of the Bank’s internal communications channels.

Data Subjects: Delivery Partners, Service Providers, other third-parties.