This is the privacy notice for the British Business Bank plc, which has been written in accordance with UK data protection laws to explain what personal data we process and why.
Date last updated: 11 January 2024
1. Who we are
1.1 The British Business Bank plc (BBB, the Bank, we or us) is a government-owned business development bank dedicated with the aim to drive sustainable growth and prosperity across the UK, and to enable the transition to a net zero economy, by supporting access to finance for smaller businesses. Find out more about our objectives.
1.2 BBB is a public limited company owned by the UK Government; it is registered in England and Wales, registration number 08616013, at Steel City House, West Street, Sheffield, S1 2GQ. BBB is not a banking institution and does not operate as such and is not authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA).
1.3 BBB plc is also the holding company of the group operating under the trading name British Business Bank that consists of different entities, including the companies listed below, and also available on our legal corporate structure chat.
Organisation Name | Company No. |
---|---|
British Patient Capital Holdings Ltd | 11270966 |
British Business Investments Ltd | 09091930 |
British Patient Capital Limited | 11271076 |
British Business Financial Services Ltd | 09174621 |
British Business Finance Ltd | 08616013 |
The Start-Up Loans Company | 08117656 |
British Business Aspire Holdco Ltd | 09091928 |
Capital For Enterprise Limited | 06179047 |
1.4 We process Personal Data to help achieve our objectives and have registered BBB and its subsidiaries with the Information Commissioner on the Register of Fee Payers (reference no. ZA084015).
1.5 This privacy notice covers the processing carried out by BBB and its subsidiaries except for those with specific privacy notices, which are accessible by clicking on the links below:
1.6 For the purposes of this privacy notice, the terms:
- ”DBT” refers to the Department for Business and Trade (DBT).
- “Beneficiaries of BBB programmes” means a third party, usually a Small or Medium Sized Enterprise (SME) or sole trader who has received funding via a BBB programme for their business.
- “Customers” means the individuals who contact us, for example, to make requests for information, sign up to our mailing list, or to make a complaint. We are not a banking institution and therefore do not have account customers.
- “Delivery Partner” means any third party that delivers a BBB programme. Information about our Delivery Partners can be found on our website under the Programmes header.
- “Personal Data” as defined in UK GDPR “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
2. Why we process Personal Data
2.1 The table below shows the Bank’s activities that process Personal Data, the types of Personal Data, the categories of data subject, and the lawful basis for processing.
A. Information that you provide to us
No. | Purpose | Personal Data Processed | Lawful Basis |
---|---|---|---|
1 | Applying for a job or secondment, internship or being engaged as a contractor | We need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right. | Art. 6(1)(b) performance of a contract |
Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening. | Art. 6(1)(e) to comply with legal obligations of the Equality Act 2010 | ||
For some roles, for example: Non-Executive Directors and Executive Committee members, we also complete a directorship check. | Art. 9(2)(b) and the Data Protection Act Schedule 1, Part 1(1) for special category data relating to our employment obligations | ||
If you become an employee, our employee privacy notice will then apply. | Art. 6(1)(e) public task | ||
Data subjects: applicants | Art. 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information. | ||
2 | Contacting us (enquiries, complaints) | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. | Art. 6(1)(e) public task |
Data subjects: applicants, delivery partners, loan recipients, business contacts, suppliers, general public | |||
3 | Requesting information under the Freedom of Information Act, or Data Protection Act | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. | Art. 6(1)(c) legal obligation |
Data subjects: requestors | |||
4 | Attending an event or workshop, collecting your business contact details, taking photographs or video of you | We may need your name, organisation and contact details to book your place or attendance. | Art. 6(1)(a) consent where the information you provide is optional |
When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials. | Art. 6(1)(e) public task to achieve our objectives | ||
We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8). | |||
When we organise events, we may take photographs or video recordings at the venue. We will always tell you of our intention to create photos/videos, and give you the option to opt out of being photographed or filmed. These photos/videos may be used on the Bank’s webpage, social media channels or in printed/electronic reports we publish. These photos/videos may also be shared with and used by our official event partners. | |||
Data subjects: business contacts, delivery partners, loan recipients, suppliers, fund managers, sole traders | |||
5 | Responding to a survey or market research | We usually need your name and contact details, especially if you want us to share the results. | Art. 6(1)(a) consent where the information you provide is optional |
Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc. | Art. 6(1)(e) public task to achieve our objectives | ||
Data subjects: business contacts, delivery partners, loan recipients, fund managers, suppliers | Art. 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, etc. | ||
6 | Signing up to our newsletter and communications | We usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters. | Art. 6(1)(a) consent where the information you provide is optional |
You can unsubscribe at any time from any marketing (see Section 8). | |||
Data subjects: business contacts, delivery partners, loan recipients, fund managers, suppliers, general public, sole traders | |||
7 | Providing details for case studies | We need your name and contact details to develop the case study about your/your company’s experience. | Art. 6(1)(a) consent |
Data subjects: business contacts, delivery partners, loan recipients, investors, fund managers, suppliers, employees | |||
8 | Finance Hub interactive tool and newsletter | The Finance Hub provides an online 6 step interactive tool for you to enter information about your business to help find what finance options are available (region, sector, amount, reason for finance, profit and assets). | Art. 6(1)(a) consent |
The information entered is not personal data nor is it captured by the Bank; however, you can subscribe to the Finance Hub newsletter if you want to receive information about our latest guides, events and case studies, to support your business. | |||
When you subscribe, you will provide your name and email address, which will be added to our database / contacts lists, so as to send the newsletters. | |||
You can unsubscribe at any time (see Section 8). | |||
Data subjects: businesses, sole traders, business contacts, prospective borrowers |
B. Information we collect or obtain for or through our programmes
3. Automated decision making
3.1 We do not currently make any automated decisions about individuals. It is possible; however, an automated decision or profiling may occur with cookie and other similar technology that are enabled our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (see Section 11 for contact details).
4. How we safeguard personal data
4.1 We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.
4.2 We have controls in place to maintain the security of our information and information systems, which may include encryption, information classification, anonymisation, and pseudonymisation. Our files are protected with safeguards according to the sensitivity of the relevant information and access controls are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees.
4.3 BBB employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.
4.4 When you contact us about a matter, you may be asked for some Personal Data, to help us verify your identity and entitlement to the Personal Data we hold.
5. How long we keep personal data
5.1 We keep Personal Data for as long as necessary for the purpose for which it is processed. We typically keep information for a minimum of seven years from the last action (e.g. file closure, contract end, etc.), but in the case of State aid programmes (i.e. Covid-19 loan schemes, the Recovery Loan Scheme and the Growth Guarantee Scheme), information is expected to be kept for a minimum of 10 years.
6. Where we transfer personal data to
6.1 Personal data is predominantly stored in the UK or the European Union; however, where we process Personal Data elsewhere we shall ensure it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or appropriate safeguards (i.e. International Data Transfer Agreements).
7. Sharing personal data
7.1 We may share your Personal Data within the Bank and its subsidiaries for the purposes described above.
7.2 We may share your Personal Data with Government departments, public-sector bodies and other associated organisations for the purpose of programmes administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, DBT, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.
7.3 We may also share your Personal Data with our Delivery Partners for the purpose of delivering our programmes. Our website provides details of our programmes and key delivery partners.
7.4 We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to) HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.
7.5 We may also share Personal Data with law enforcement or other government officials to help prevent or detect crime or apprehend or prosecute offenders; when we believe disclosure is necessary to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues or stakeholders as required or permitted by law; to establish, exercise or defend our legal rights; or in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.
7.6 Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements. Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; debt collection etc. A list of our key contracted providers is available on Contracts Finder.
7.7 We will also share data from the Covid-19 loan schemes, the Recovery Loan Scheme, the Growth Guarantee Scheme and the Future Fund Scheme (and any other of our programmes, where appropriate to do so) with DBT, other government departments, law enforcement agencies, regulatory bodies and other relevant stakeholders for the prevention and detection of crime, in particular fraud, to investigate specific cases as well as to enable data analytics to attempt to discover possible or as yet undetected fraudulent or other criminal behaviour, patterns or trends against public authorities and public money (i.e. Section 56 of the Digital Economy Act 2017, Section 68 of the Serious Crime Act 2007).
7.8 Where legally required, we will share information relating to individual Covid-19, Recovery Loan Scheme and Growth Guarantee Scheme loans (which may include amongst other details the identity of the borrowers and size of loan) with the European Commission under the State aid Temporary Framework and the approval for the ‘Covid-19 Temporary Framework for UK Authorities’. The European Commission will make this information publicly available on its State aid transparency public search website. For each of the Bounce Back Loan Scheme, the Coronavirus Business Interruption Loan Scheme and the Coronavirus Large Business Interruption Loan Scheme, there is a requirement to report and publish information on individual aid exceeding €100,000, or exceeding €10,000 if the Borrower operates in the agriculture or fisheries sectors. Please note, the ‘aid amount’ includes the loan, the fees and interest payments the Government has paid on behalf of the borrower for the first 12 months of the loan.
7.9 Where legally required, we will also share information relating to individual Covid-19, Recovery Loan Scheme and Growth Guarantee Scheme loans (which may include amongst other details the identity of the borrowers and size of loan) on the UK’s public transparency database to enable compliance with the UK’s international subsidy reporting requirements with regards to the UK-EU Trade and Co-operation Agreement, World Trade Organization Agreement on Subsidies and Countervailing Measures and other Free Trade Agreements.
8. Marketing
8.1 We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:
- If you are an existing customer or have taken steps to become a customer by using our websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
- If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.
8.2 We do not buy or sell Personal Data for marketing purposes.
8.3 We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.
8.4 If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.
9. Confidential information
9.1 We are a public body and subject to the Freedom of Information Act 2000 (FOIA). The FOIA provides people the right to request access to recorded information and we are obliged to disclose the information unless an FOIA exemption applies. Section 40 of the FOIA provides an exemption to the disclosure of personal data and, although it is not absolute, the exemption applies where the disclosure would contravene data protection.
10. Data Protection Rights
10.1 Data protection provides rights to data subjects; these rights are listed below and you can exercise them by contacting us using the details in Section 11.
Term | Meaning |
---|---|
Consent | If we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time and expect us to carry out your wishes promptly. |
The right of access | The right to request access to the Personal Data we hold about you, subject to exceptions. |
The right to object | Where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so. |
The right of data portability | In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us. |
The right to rectification | In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us. |
The right to erasure | The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it. |
The right to restrict processing | The right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request. |
Automated decision making and profiling | The right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters. The right to object to profiling in certain situations, for example direct marketing. |
10.2. Data protection rights are not always absolute and where we cannot fulfil the request, we will explain why. For general information about data rights, see the Information Commissioner’s website.
11. Contacting Us
11.1 If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at [email protected] or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.
11.2 If, after speaking to us regarding any of the ways we use your Personal Data, you wish to make a complaint, you can do so by contacting the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or see their website for alternative contact details.