Privacy Notice

We understand the importance of data security and privacy and are committed to protecting Personal Data in accordance with the Data Protection Act 2018 and UK General Data Protection Regulation.

This privacy notice aims to explain what Personal Data we process and why.

We will review this notice on a regular basis to keep it up to date.

Date last updated: 03.08.2021

Topics covered in our Privacy Notice:

  1. Who we are
  2. Why we process Personal Data
  3. Automated decision making
  4. How we safeguard Personal Data
  5. How long we keep Personal Data
  6. Where we transfer Personal Data to
  7. Sharing Personal Data
  8. Marketing
  9. Subscribing to the Finance Hub newsletter
  10. Confidential Information
  11. Data subject rights under data protection legislation
  12. Contacting us
      1. Who we are

        1. 1.1 The British Business Bank plc (BBB, the Bank, we or us) is the controller for the Personal Data it processes, unless otherwise stated. We are a registered controller with the Information Commissioner’s Office (reference no. ZA084015) and registered address is Steel City House, West Street, Sheffield, S1 2GQ.
        2. 1.2 The Bank is a UK Government economic development bank which aims to make finance markets work better so smaller businesses across the UK can prosper and grow. A link to our objectives can be found here.
        3. 1.3 The Bank is a public limited company (company number 08616013) and wholly owned by HM Government. It is also the holding company of the group operating under the trading name British Business Bank. A copy of our legal structure can be found here, but for reference:
          Organisation NameCompany No.
          British Patient Capital Holdings Ltd11270966
          British Business Investments Ltd09091930
          British Patient Capital Limited11271076
          British Business Financial Services Ltd09174621
          British Business Finance Ltd08616013
          The Start-Up Loans Company08117656
          British Business Aspire Holdco Ltd09091928
          Capital For Enterprise Limited06179047
          Capital For Enterprise Fund Managers Limited06826072
        4. 1.4 This privacy notice covers the processing carried out by the Bank and its subsidiaries except for those with specific privacy notices, which are accessible by clicking on the links below:
        5. 1.5 Neither the Bank (nor any of its subsidiaries) are authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA) because we are not a banking institution and do not operate as such.
        6. 1.6 For the purposes of this privacy notice, the term:
          • BEIS” means the Department for Business, Energy and Industrial Strategy.
          • Beneficiaries of BBB programmes” means a third party, usually a Small or Medium Sized Enterprise (SME) or sole trader who has received funding via a BBB programme for their business.
          • Customers” means the individuals who contact us, for example, to make requests for information, sign up to our mailing list, or to make a complaint.  We are not a banking institution and therefore do not have account customers.
          • Delivery Partner” means any third party that delivers a BBB programme. Information about our Delivery Partners can be found on our website under the Programmes header.
          • “Personal Data” means any data which relates to a living individual who can be identified from that data or from other information which is in the possession of, or is likely to come into the possession of, the Bank (or its representatives, service providers or Partners). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of the Bank or any other person in respect of an individual.
      2. Why we process Personal Data

        1. 2.1 Our objective is to make finance markets work better for smaller businesses across the UK at all stages of their development: starting up, scaling up and staying ahead.  To do this, we process Personal Data that you may provide to us directly or which we collect from third parties or from our websites.
          1. Information that you provide to us.

            No.PurposePersonal Data ProcessedLawful Basis
            1Applying for a job or secondment, internship or being engaged as a contractorWe need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right.

            Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening.

            For some roles, for example: Non-Executive Directors and Executive Committee members, we also complete a directorship check.

            If you become an employee, our employee privacy notice will then apply.
            Article 6(1)(b) processing to take steps to entering into a contract

            Article 9(2)(b) and the Data Protection Act Schedule 1, Part 1(1) for special category data relating to our employment obligations

            Article 6(1)(c) to comply with legal obligations of the Equality Act 2010

            Article 6(1)(e) processing under public task, and Article 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information.
            2Make an enquiry or complaintWe need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. Article 6(1)(e) processing under public task
            3Make an information request under the Freedom of Information Act, Environmental Information Regulations or data protection law We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you Article 6(1)(c) legal obligation
            4Attending an event or workshop, collecting your business contact detailsWe may need your name, organisation and contact details to book your place or attendance.

            When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials.

            We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8).
            Article 6(1)(a) consent where the information you provide is optional

            Article 6(1)(e) processing under public task to achieve our objectives
            5Responding to a survey or market researchWe usually need your name and contact details, especially if you want us to share the results.

            Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc.
            Article 6(1)(a) consent where the information you provide is optional

            Article 6(1)(e) processing under public task to achieve our objectives

            Article 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, etc.
            6Subscribing to a mail newsletterWe usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters.

            You can unsubscribe at any time from any marketing (see Section 8).
            Article 6(1)(a) consent where the information you provide is optional
            7Applying to be a Delivery Partner (see definition at 1.6)Most of our debt, equity and guarantee programmes are delivered to businesses through third party Delivery Partners (e.g. Enable Funding, Venture Capital, Regional Funds, and Covid-19 Loan Schemes).

            To become a Delivery Partner, you are required to express an interest and go through a selection and accreditation process.

            We need as a minimum, information about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

            We use the information provided to assess your application and carry out Due Diligence.

            As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.
            Article 6(1)(e) processing under public task

            Article 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations
            8Direct investmentWhen companies are in scope of a direct investment, we will carry out a due diligence and accreditation process.

            We may process Personal Data about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

            As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

            Following the completion of the investment, we shall continue to process information throughout the relationship.

            We also collect information in respect of gender and diversity of portfolio companies.

            We also manage legacy direct investments, where the shareholdings have transferred to us, and we will continue to process all the relevant information for the life of the investment.
            Article 6(1)(e) processing under public task

            Article 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations

            Processing diversity information under
            Article 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
            9Future Fund Scheme The Future Fund Scheme is managed through an agreement between the BEIS and British Business Financial Services Limited.

            We collect or obtain Personal Data from or about nominated business contacts under the Future Fund Scheme.

            Under the Scheme, applications from an individual may provide information (including Personal Data) on behalf of other related individuals e.g., lead investor or nominated business contacts on behalf of syndicate members or a Chief Financial Officer acting on behalf of a business management team, solicitors, directors, shareholders, etc. The information includes names, signatures, addresses, contact details, proof of identity, as well as financial information.

            We will ask the individual providing the information to confirm they have the agreement of the others to do so.

            We have contracted with external auditors to carry out due diligence on the applications, investee companies and investors, to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

            The Personal Data is processed for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for report to the UK Government, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

            As part of its commitment to signing HM Treasury’s Investing in Women Code, the Future Fund will supply HM Treasury with statistics on founder gender.

            We also ask for and publish diversity information about the companies that have obtained investment.

            We will continue to process information throughout our relationship with the company i.e., for the period whilst the loan is outstanding or holds shares in the capital of the company.

            We will share Future Fund information with BEIS and other third parties where appropriate, see Section 7.

            We will share Future Fund information with debt collection agencies to establish and exercise our contractual rights and to recover debts on our behalf.

            We will also publish the names of the companies that convert the Future Fund loan into equity.
            Article 6(1)(e) processing under public task

            Processing diversity information under
            Article 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
            10Providing details for case studiesWe need your name and contact details to develop the case study about your/your company’s experience.Article 6(1)(a) consent
          2. Information we collect or obtain for or through our programmes

            No.PurposePersonal Data ProcessedLawful Basis
            1Enable Guarantee and Enable FundingThe Enable Guarantee and Enable Funding programme is managed by British Business Financial Services Limited on behalf of BEIS.

            We engage Delivery Partners to deliver the programmes.

            Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

            We will continue to process information throughout our relationship with the Delivery Partner.
            Article 6(1)(e) processing under public task
            2Enterprise Finance Guarantee (EFG) The Enterprise Finance Guarantee programme is managed by British Business Financial Services Limited on behalf of BEIS.

            Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

            Delivery Partners collect information from the successful EFG loan applications for the purpose of managing the scheme and assessing its take up, effectiveness, and losses.

            The Personal Data processed includes: borrowing company name, trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

            We will continue to process information throughout our relationship with the Delivery Partner.
            Article 6(1)(e) processing under public task
            3Regional FundsThe Regional Funds are managed by British Business Financial Services Limited on behalf of BEIS.

            We manage three regional funds acting as the Fund of Fund Managers: Northern Powerhouse Investment Fund, Midlands Engine Investment Fund, and Cornwall and Islands of Scilly Investment Fund.

            The Funds are delivered to businesses through a network of Fund Managers, which were appointed through a tender exercise.

            We process Personal Data of the fund managers, which are corporate entities. As part of the tender process, Due Diligence was carried out ‘Applying to be a Delivery Partner process’ (see Section 1.6).

            We will continue to process information throughout our relationship with the Fund Managers, which will include the name and email addresses for the Fund Managers.

            We also collect information in respect of gender and diversity of fund managers and investee companies.
            Article 6(1)(e) processing under public task

            Processing diversity information under
            Article 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
            4Venture Solutions We engage Fund Managers to invest venture capital into small and medium sized enterprises (e.g. Enterprise Capital Funds Programme).

            Fund Managers apply to be a Delivery Partner and will provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

            We will continue to process information throughout our relationship with the Fund Manager.

            We also collect information in respect of gender and diversity of fund managers and investee companies.
            Article 6(1)(e) processing under public task

            Processing diversity information under
            Article 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
            5Covid-19 loan schemes The Covid loans are delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

            We collect information from our Delivery Partners in respect of the Coronavirus Business Interruption Loan Scheme (CBILS), Coronavirus Large Business Interruption Loan Scheme (CLBILS), and the Bounce Back Loan Scheme (BBLS) for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

            Delivery Partners must provide us with a subset of the loan application information from every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

            Delivery Partners will also provide information in respect of business interruption payments and the status of the loans and we have contracted PricewaterhouseCoopers to provide operational support to the loan schemes.

            We will share loan data with BEIS, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates, Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and BEIS) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses.

            We have contracted with PricewaterhouseCoopers and other third parties to carry out data analytics for estimated credit losses or potential fraud, which will involve the processing of Personal Data.

            As part of the Bounce Back Loan Scheme application process, the Bank commissioned Cifas to create and host a database to enable Delivery Partners to check for duplicate applications and update the status of a loan application to help prevent fraud. Cifas is a not-for-profit fraud prevention service that aims to detect, deter, and prevent fraud.

            Additional public body or law enforcement information is added to the Cifas duplicate account database where it is deemed appropriate for counter-fraud purposes. The Bank will share the Cifas data with government departments and law enforcement agencies to help prevent and detect crime and apprehend and prosecute offenders and carry out, where appropriate fraud analytics (see sections 7.5 and 7.7).

            Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).
            Article 6(1)(e) processing under public task

            Article 6(1)(c) reporting to the European Commission
            6Covid-19 Recovery Loan SchemeThe Recovery Loan Scheme is delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

            We collect information from our Delivery Partners in respect of the Scheme for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

            Delivery Partners must provide us with a subset of the loan application information from every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

            Delivery Partners will also provide information in respect of the status of the loans and we have contracted PricewaterhouseCoopers to provide operational support to the scheme.

            We will share loan data with BEIS, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and BEIS) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses as well as data fraud analytics. (see Section 7.5 and 7.7).

            Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).
            Article 6(1)(e) processing under public task

            Article 6(1)(c) reporting state aid to the European Commission and/ or to the UK Government
          3. General Business Activities

            No.PurposePersonal Data ProcessedLawful Basis
            1Business ImprovementsWe may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes.

            The Personal Data processed will vary according to the specific activity, but will always be the minimum necessary.
            Article 6(1)(c) processing under legal obligation

            Article 6(1)(e) processing under public task
            2Business Management & Operations We process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors and suppliers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions.

            The Personal Data processed will vary according to the specific activity, but will be the minimum necessary.
            Article 6(1)(c) processing under legal obligation

            Article 6(1)(e) processing under public task
            3Cookies and website We collect details of your visits to our websites and the resources that you access (which may include, amongst other things; traffic data and communication data) for the purpose of improving our website performance, system administration and to evaluate use of our websites.

            The British Business Bank website is the parent website, but we also have websites for

            British Business Investments
            British Patient Capital
            The Start-Up Loans Company
            The Finance Hub
            Recruitment Portal
            Future Fund
            Northern Powerhouse Investment Fund
            Midlands Engine Investment Fund
            Cornwall & Isles of Scilly Investment Fund

            We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policies.
            Article 6(1)(a) consent for the cookies that are not strictly necessary
            4Market ResearchWe may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality.

            We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results.

            On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation.
            Article 6(1)(f) processing is in our legitimate interests
            5Data Analysis / VisualisationWe analyse the data we hold to report on performance, forecast trends, and help inform our decision making.

            The analysis will include personal data, for example when processing the data held about the loan and investment schemes and programmes, for example the names and registered addresses of sole traders, limited partnerships, fund managers, but also unique reference numbers such as company reference number that may allow persons associated with the company to be identified.

            We also process special category data to help us understand the gender and ethnicity make up of our fund managers and delivery partners and improve our approach to Environmental, Social and Governance.

            We aim to use the minimum personal data necessary in our analysis and, where possible, report aggregated data.

            We also import data from Companies House and Office for National Statistics (ONS) for the purpose of enriching the information we have about the beneficiary companies supported through the various debt/equity and guarantee funds. This data includes personal data in the form of sole trader names and registered addresses. The use of Companies House allows us to identify incorporation date and company status. The use of ONS data and beneficiary company postcode allows us to identify the corresponding Region, District, Constituency and Electoral ward which is then used to represent geospatial demographics.
            Article 6(1)(e) processing under public task

            Processing diversity information under
            Article 9(2)(g) substantial public interest and Data
      3. Automated decision making

        1. We do not currently make any automated decisions about you; however, it is possible automated decisions or profiling do occur with cookie and other similar technology that are enabled our websites.  However, if you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (please see our contact details in Section 11).
      4. How we safeguard personal data

        1. 4.1 We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.
        2. 4.2 We have extensive controls in place to maintain the security of our information and information systems, which include encryption, information classification, anonymisation, and pseudonymisation.  Client files are protected with safeguards according to the sensitivity of the relevant information and access controls are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees.
        3. 4.3 The Bank’s employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.
        4. 4.4 When you contact us about a matter, you may be asked for some Personal Data, to help us verify your identity and entitlement to the Personal Data we hold.
      5. How long we keep personal data

        1. 5.1 We keep Personal Data for as long as necessary for the purpose for which it is processed.  We typically keep information for a minimum of six  years from the last action (e.g. file closure, contract end, etc.), but in the case of State aid programmes (i.e. Covid-19 loan schemes), information is expected to be kept for a minimum of 10 years.
      6. Where we transfer personal data to

        1. 6.1 We do not routinely transfer Personal Data to, or store it, outside the European Economic Area (“EEA”).
        2. 6.2 If we do transfer Personal Data outside of the EEA, we shall ensure that it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or additional safeguards (i.e. contractual clauses).
      7. Sharing personal data

        1. 7.1 We may share your Personal Data within the Bank and its subsidiaries for the purposes described above.
        2. 7.2 We may share your Personal Data with Government departments, public-sector bodies and other associated Partner organisations for the purpose of scheme administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, BEIS, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.
        3. 7.3 We may also share your Personal Data with our Delivery Partners for the purpose of delivering our programmes.  Our website provides details of our programmes and key delivery partners.
        4. 7.4 We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to)  HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.
        5. 7.5 We may also share Personal Data with law enforcement or other government officials to help prevent or detect crime or apprehend or prosecute offenders; when we believe disclosure is necessary to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues or stakeholders as required or permitted by law; to establish, exercise or defend our legal rights; or in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.
        6. 7.6 Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements.  Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; debt collection etc. A list of our key contracted providers is available on Contracts Finder.
        7. 7.7 We will also share data from the Covid-19 loan schemes and the Future Fund Scheme (and any other of our programmes, where appropriate to do so) with BEIS, other government departments, law enforcement agencies, regulatory bodies and other relevant stakeholders for the prevention and detection of crime, in particular fraud, to investigate specific cases as well as to enable data analytics to attempt to discover possible or as yet undetected fraudulent or other criminal behaviour, patterns or trends against public authorities and public money (i.e. Section 56 of the Digital Economy Act 2017, Section 68 of the Serious Crime Act 2007).
        8. 7.8 Where legally required, we will share information relating to individual Covid-19 loans (which may include amongst other details the identity of the borrowers and size of loan) with the European Commission under the State aid Temporary Framework and the approval for the ‘Covid-19 Temporary Framework for UK Authorities’. The European Commission will make this information publicly available on its State aid transparency public search website. For each of the Bounce Back Loan Scheme, the Coronavirus Business Interruption Loan Scheme and the Coronavirus Large Business Interruption Loan Scheme, there is a requirement to report and publish information on individual aid exceeding €100,000, or exceeding €10,000 if the Borrower operates in the agriculture or fisheries sectors. Please note, the ‘aid amount’ includes the loan, the fees and interest payments the Government has paid on behalf of the borrower for the first 12 months of the loan.
        9. 7.9 Where legally required, we will also share information relating to individual Covid-19 loans (which may include amongst other details the identity of the borrowers and size of loan) on the UK’s public transparency database to enable compliance with the UK’s international subsidy reporting requirements with regards to the UK-EU Trade and Co-operation Agreement, World Trade Organization Agreement on Subsidies and Countervailing Measures and other Free Trade Agreements.
      8. Marketing

        1. 8.1 We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:
          • If you are an existing customer or have taken steps to become a customer by using the Websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
          • If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.
        2. 8.2 We will not pass your Personal Data to third parties for their marketing purposes.
        3. 8.3 We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.
        4. 8.4 If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.
      9. Subscribing to the Finance Hub newsletter

          1. 12.1 The Finance Hub provides an online interactive tool for you to enter information about your business to help find what finance options are available. The information entered is not personal data nor is it captured by the Bank; however, you can subscribe to the quarterly Finance Hub newsletter if you want to receive information about our latest guides, events and case studies, to support your business.When you subscribe, you will provide your name and email address and which will be added to our database / contacts lists so as to send the newsletters.You can unsubscribe at any time (see Section 8).
      10. Confidential information

        1. 9.1 Under the Freedom of Information Act 2000, we are only permitted to protect information that is actually confidential in law and where, if we were to disclose it, we could be sued for breach of confidence.
        2. 9.2 Information you give us which you may consider confidential, or may mark as confidential, may in fact not be confidential in law.  However, in respect of any information we receive from you that is truly confidential, we will take steps to ensure it remains confidential.
        3. 9.3 Unauthorised disclosure or misuse of confidential information by our employees may lead to disciplinary action.
      11. Data Subject rights under Data Protection Legislation

        1. 10.1 Data protection provides rights to data subjects; these rights are listed below and you can exercise them by contacting us using the details in Section 11.
          • Consent

            If we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time,  and expect us to carry out your wishes promptly.

          • The right of access

            The right to request access to the Personal Data we hold about you, subject to exceptions.

          • The right to object

            Where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so.

          • The right of data portability

            In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.

          • The right to rectification

            The right to correct any errors in Personal Data we hold about you, and to change or correct any details you have already given us.

            It is important that any contact data you provide is kept accurate and up to date so that we can contact you should we need to.

          • The right to erasure

            The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it.

          • The right to restrict processing

            The right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request.

          • Automated decision making and profiling

            The right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters.

            The right to object to profiling in certain situations, for example direct marketing.

            For more information about your data rights, please see the Information Commissioner’s website at ico.org.uk/your-data-matters.

      12. How to contact us

        1. 11.1 If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at:
        2. 11.2 In the event that you would like to lodge a complaint relating to our use of your Personal Data you can do so by contacting the Information Commissioner’s Office: