Dated 3rd February 2020
- Lawful basis for processing
- What data we may collect from you
- How we collect information from you
- How we use your personal data
- Retention of your personal data
- Accuracy of your personal data
- Security of your personal data
- Transfer of your personal data to third parties
- Your rights
1.1 Who we are
The BBRS website is brought to you by Business Banking Resolution Service, a company limited by guarantee and incorporated in England and Wales with registered number 12096333 and having its registered office at c/o Legalinx Limited, Tallis House, 2 Tallis Street, Temple, London, EC4Y 0AB.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where information relating to identity has been removed (anonymous data).
- what personal data we may collect from you through your use of this website, including any data you may provide through this website when you register your interest or submit a claim;
- how we will use, store and protect your personal data;
- with whom we may share personal data; and
- your rights under relevant data protection laws and how the law protects you.
This website is not permitted for use by individuals below eighteen years of age and we do not knowingly collect data relating to such individuals.
1.3 Third party links
2 Lawful basis for processing
Under data protection laws, we must have a legal basis in order to process your personal data. The legal bases on which we may process your data are:
- Legitimate interest: in order to carry on the purposes of BBRS’ purpose of facilitating the investigation and resolution of disputes between eligible SMEs and their financial service providers.
3 What data we may collect from you
We may collect and process different kinds of personal data about you which we have grouped together as follows:
- Identity data: first name, last name, company name and company role.
- Contact data: email address and contact telephone number.
- Technical data: internet protocol (IP) address, browser type and version, operating system, time zone setting and location, and other technology on the devices you use to access this website.
- Usage data: information about how you use our website and services.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership and information about your health, genetic and biometric data). Nor do we collect any information about criminal convictions or offences.
4 How we collect information from you
We collect your personal data in a number of ways:
- Automatically: as you browse the BBRS website certain information relating to your browsing patterns and technical data about the equipment you are using to access the website is automatically collected using cookies and server logs. Please see our Cookies Policy for further information.
- Directly: identity and contact data directly provided by you when you fill in online forms or correspond with us in any way.
- From third parties/public sources:
- technical data, which may be obtained from the following parties:
- analytics providers (such as Google) based outside the EU; and
- search information providers (such as Google) based outside the EU.
- technical data, which may be obtained from the following parties:
5 How we use your personal data
We may use your personal data for the following purposes:
- to provide the requested services to you;
- in accordance with our legitimate interests (in circumstances where your interests and fundamental rights do not override our interests);
- to personalise your experience on the BBRS website;
- to provide customer service, including to respond to your enquiries and fulfil any of your requests for information;
- to send you important information regarding our services and/or other technical notices, updates, security alerts, and support and administrative messages; and
- as we believe to be necessary or appropriate:
- in order to comply with a legal obligation. This applies where the processing is necessary for us to comply with the law;
- to protect our legitimate rights, privacy, property or safety, and/or those of a third party, where your rights do not override those interests.
6 Retention of your personal data
We will not retain your personal data for longer than is necessary for the purposes for which the personal data is processed. This means that your data will only be retained for as long as it is still required to provide you with services or is necessary for legal reasons. When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the personal data which we hold and the purposes for which it is held and processed.
When we determine that personal data can no longer be retained (or where you request us to delete your data in accordance with your right to do so (please see section 10 below for more information)), we ensure that this data is securely deleted or destroyed.
However, please note that in some circumstances we may decide to retain your personal data for research or statistical purposes and, in such circumstances, we will anonymise your data before retaining it.
For more details about our retention periods, please contact us using the contact details set out below.
7 Accuracy of your personal data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
8 Security of your personal data
In order to protect your personal data, BBRS has appropriate organisational and technical security measures. These measures include restricting access to your personal data to certain employees, ensuring the secure transmission of data from the point where it is captured to the point where it is stored, ensuring suitable encryption is employed where data is stored, ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.
9 Transfer of your personal data to third parties
There may be circumstances in which we may also need to share your personal data with certain third parties, including third parties located outside of the EEA.
The third parties to which we may transfer your personal data include:
- financial service providers who need to receive the personal data to enable BBRS to investigate and resolve disputes;
- BBRS’ service providers who provide services to BBRS to enable BBRS to investigate and resolve disputes; and
- Mandrill.com and Mailchimp.com (operated by The Rocket Science Group LLC) who will have access to email addresses to enable BBRS to send email confirmations and follow up correspondence in relation to disputes.
The security of your data is important to us and we will, therefore, only transfer your data to such third parties if:
- the third party needs to access the personal data for the purposes of providing any contracted services to you;
- the third party has agreed to comply with BBRS’ instructions, required data security standards, policies, and procedures and put adequate security measures in place;
- the transfer complies with any applicable cross border transfer restrictions and suitable safeguards have been put in place; and
- a fully executed written contract that contains suitable obligations and protections has been entered into between the parties.
As mentioned above, we will only transfer your data where suitable safeguards have been put in place. These safeguards are intended to ensure a similar degree of protection is afforded to your data wherever it may be transferred and include:
- only transferring your personal data to countries which have been deemed to provide an adequate level of protection for personal data by the European Commission (or any successor body from time to time);
- where your data will be transferred outside of the EEA or, if the United Kingdom leaves the EEA, outside of the UK, entering into specific contractual terms which have been approved by the European Commission (or any successor body from time to time) and which give personal data the same protection as within the EEA; or
- where your data will be transferred to the US, ensuring that the third party to which we are transferring your data is part of the Privacy Shield.
For more information on the safeguards used by BBRS when it transfers personal data to third parties, please contact us using the contact details below.
10 Your rights
You have certain rights in relation to the personal data we process and hold about you. These include:
- Right to rectification: you have the right to require us to correct any inaccuracies in your personal data.
- Right to erasure: you have the right to require us to delete your personal data, subject to certain legal requirements.
- Right to restriction of processing: you have the right to require us to restrict the way in which we process your personal data. You may wish to restrict processing if, for example:
- you contest the accuracy of the data and wish to have it corrected;
- you object to processing but we are required to retain the data for reasons of public interest; or
- if you would prefer restriction to erasure.
- Right to data portability: you have the right to obtain from us easily and securely the personal data we hold on you for any purpose you see fit.
- Right to object to processing: you have the right to require us to stop processing your personal data should you wish the data to be retained but no longer processed.
- Right of access: you have the right to request access to personal data that we may process about you.
- Right to withdraw consent: where you have previously consented to the processing of your personal data, you have the right at any time to withdraw that consent.
If you would like to exercise any of the above rights, please:
- put your request in writing;
- include proof of your identity (such as a copy of your driving licence or passport) and address (such as a recent utility or credit card bill); and
- specify the right you wish to exercise.
We will respond to requests made by you within one month. We will not charge a fee for you to exercise any of the rights listed above.
For more information about the cookies we use, please see our Cookies Policy.
You should also be aware that you have the right to raise any concerns in relation to how we process your personal data to the Information Commissioner’s Office (ICO).
Our full details are:
Full name of legal entity: Business Banking Resolution Service
Email address: DPL@thebbrs.org