Need help to get started, get in touch
Make a complaint Search

Privacy Policy

Dated 12 February 2021


  1. Introduction
  2. Lawful basis for processing
  3. What data we may collect from you
  4. How we collect information from you
  5. How we use your personal data
  6. Retention of your personal data
  7. Accuracy of your personal data
  8. Security of your personal data
  9. Who we may share your personal information with
  10. Your rights
  11. Cookies
  12. Amendments to this Privacy Policy
  13. Questions in relation to this Privacy Policy

1 Introduction

1.1 Who we are

We are the Business Banking Resolution Service, a company limited by guarantee and incorporated in England and Wales with registered number 12096333 and having its registered office at C/O Eastcastle House, 27-28 Eastcastle Street, London W1W 8DH.

We engage a sub-contractor called CEDR Services Limited, trading as the Centre for Effective Dispute Resolution (CEDR). CEDR assists us in the investigation and administration of any disputes submitted to our service. This Privacy Policy contains further information about how CEDR will process your data alongside BBRS. It is important that you read this privacy policy together with any other privacy policy or fair processing policy we or CEDR may provide on specific occasions when your personal data is being collected or processed so that you are fully aware of how and why we and CEDR are using your data. This privacy policy supplements other notices and privacy policies, including any provided by CEDR and is not intended to override them.

CEDR Services Limited is a company limited by guarantee and incorporated in England and Wales with registered number 03271988 and having its registered address at International Dispute Resolution Centre, 70 Fleet Street, London, EC4Y 1EU.

Both BBRS and CEDR are a ‘data controller’ for any personal data that we each process. You can contact BBRS at if you have any questions with regards to this Privacy Policy or privacy practices. You can also contact CEDR on

1.2 Purpose of this Privacy Policy

We and CEDR recognise that if you commence a claim you will be commencing the claim on behalf of an SME and that you will likely provide your own personal data and personal data which relates to other individuals.  This privacy policy applies to all such personal data and references to “your personal data” shall be construed accordingly.

Before submitting any personal data to us, through our website (Website) or otherwise, you should ensure that you have provided the information contained in this Privacy Policy to all persons whose personal data you intend to disclose to us.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where information relating to identity has been removed (anonymous data).

We take your privacy very seriously, respect your privacy and are committed to protecting your personal data. As such, we ask that you read this Privacy Policy carefully as it contains important information about:

  1. what personal data we may collect from you through your use of our services, including but not limited to any personal data you may provide to us when you register your interest, speak to or correspond with any of our staff, participate in any survey or submit and/or participate in a claim;
  2. how we will use, store and protect your personal data;
  3. with whom we may share personal data; and
  4. your rights under relevant data protection laws and how the law protects you.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements the other notices and is not intended to override them.

The Website and our services are not permitted for use by individuals below eighteen years of age and we do not knowingly collect personal data relating to such individuals.

1.3 Third party links

The Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. If you follow a link to any of these third-party websites, please note that we do not accept any responsibility or liability for their privacy statements or for any personal data that may be collected through these websites. When you leave our website, we encourage you to read the privacy policy of every website you visit.

2 Lawful basis for processing

Under data protection laws, we must have a legal basis in order to process your personal data. The legal basis under which we process your personal data is:

  • Legitimate interest: in order to carry on BBRS’ purpose of facilitating the investigation and resolution of disputes between SMEs and their financial service providers. This may involve gathering evidence, as well as reporting decisions to the relevant parties. CEDR will also rely on its legitimate interests for the purposes of managing and investigating any dispute submitted to the service.
  • Special category data: where you provide us with special categories of personal data in connection with your claim (i.e. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data and data concerning health, sex life or sexual orientation), this data requires an additional legal basis for processing.  We shall therefore process such personal data on the basis that the processing is necessary for the establishment, exercise and defence of legal claims made by or on behalf of SMEs.
  • Consent: BBRS and CEDR may request your consent to process your personal data in certain limited circumstances. For example, if you speak to us on the telephone, you may be requested to provide your consent to record those telephone calls for quality and training purposes. You may withdraw your consent at any time by informing the call operator or by emailing or
  • Complying with a legal obligation: BBRS or CEDR may be required to process your personal data where required to comply with applicable law, which may include sharing your personal data with regulators, authorities or other parties.

3 What data we may collect from you

BBRS and CEDR may collect and process any type of personal data about you (such as name, address, email address and phone number), including special categories of personal data. BBRS and CEDR do not actively collect information about criminal convictions or offences, although such data may be processed if it is provided during the course of any complaint you submit to the service.

When you use the Website, we also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but it will not constitute personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data which will be processed in accordance with this Privacy Policy.

4 How we collect information from you

Your personal data is collected by us and CEDR in a number of ways:

  • Automatically: as you browse the Website certain information relating to your browsing patterns and technical data about the equipment you are using to access the website is automatically collected using cookies and server logs. Please see the BBRS Cookies Policy for further information.
  • Directly: identity and contact data directly provided by you when you fill in online forms, speak to, write to, email or correspond with BBRS (or CEDR) in any way, irrespective of the method of communication used and including via the case management system, a software tool used to manage your dispute.
  • From third parties/public sources:
    • if you submit a dispute, as part of our investigation BBRS and CEDR may collect your personal data from your financial service provider(s) and from publicly available sources such as Companies House;
    • if you appoint a third party to represent you during an eligible dispute, that third party may provide additional personal data about you;
    • when using the Website, BBRS and CEDR may collect technical data, which may be obtained from the following parties:
      • analytics providers (such as Google) based outside the UK; and
      • search information providers (such as Google) based outside the UK.
    • BBRS may collect information including personal data from third parties who provide services including the capture of news items and social media comments concerning BBRS and the financial industry.

5 How we use your personal data

BBRS may use your personal data for the following purposes:

  • to provide services to you which you have requested;
  • in accordance with our legitimate interests (in circumstances where your interests and fundamental rights do not override our interests);
  • to personalise your experience on the Website and the case management system (CMS);
  • to provide customer services, including to respond to your enquiries and fulfil any of your requests for information;
  • to send you important information regarding our services and/or other technical notices, updates, security alerts, and support and administrative messages; and
  • as we believe to be necessary or appropriate:
    • in order to comply with a legal obligation. This applies where the processing is necessary for us to comply with the law;
    • to enforce or apply this Privacy Policy; and
    • to protect our legitimate rights, privacy, property or safety, and/or those of a third party, where your rights do not override those interests.

CEDR may also process your personal data to manage and investigate any dispute you submit to the service, to provide customer services to you, and to communicate with you in relation to your dispute.

6 Retention of your personal data

BBRS and CEDR will not retain your personal data for longer than is necessary for the purposes for which the personal data is processed. This means that your data will only be retained for as long as it is still required to provide you with services or is necessary for legal reasons. When calculating the appropriate retention period for your data, both BBRS and CEDR will consider the nature and sensitivity of the data, the purposes for which the data is processed, and any applicable statutory retention periods. Using these criteria, both BBRS and CEDR regularly review the personal data held and the purposes for which it is held and processed.

When we or CEDR determine that personal data can no longer be retained (or where you request us to delete your data in accordance with your right to do so (please see section 10 below for more information), we ensure that this data is securely deleted or destroyed from BBRS and CEDR systems.

Generally, any personal data you submit in relation to a claim to us or CEDR will be retained for 7 years from the date your case is closed.

However, please note that in some circumstances we and CEDR may decide to retain your personal data for research or statistical purposes and, in such circumstances, we will anonymise your data before retaining it.

For more details about retention periods, please contact us or CEDR using the contact details set out below.

7 Accuracy of your personal data

It is important that the personal data held about you by us and CEDR is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

8 Security of your personal data

In order to protect your personal data, both BBRS and CEDR have appropriate organisational and technical security measures in place. These measures include requiring contractors who process your personal data to meet certain minimum security standards, restricting access to your personal data to certain staff, ensuring the secure transmission of data from the point where it is captured to the point where it is stored, ensuring suitable encryption is employed where data is stored, ensuring internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.

In addition, your personal data will only be processed in the UK and countries approved by the UK government as providing adequate protection.

In the unlikely event of a data breach, steps will be taken to mitigate any loss or destruction of data and, if required, BBRS and/or CEDR will notify you and any applicable authority of such a breach.

9 Who we may share your personal information with

There may be circumstances in which we may also need to share your personal data with certain other third parties.

The third parties to which BBRS may transfer your personal data include:

  • financial service providers who need to receive the personal data to enable BBRS to investigate and resolve disputes or in relation to a request to exercise the rights you have as a data subject in respect of your personal data (as set out below in paragraph 10); and
  • BBRS’ service providers who provide services to BBRS to enable BBRS to investigate and resolve disputes, such as CEDR.

CEDR may also transfer your personal data to third party IT service providers, to enable CEDR to provide its services.

The security of your data is important to BBRS and CEDR, therefore your data will only be transferred to such third parties if:

  • the third party needs to access the personal data for the purposes of providing any services you have requested to you;
  • the third party has in place appropriate organisational and technical security measures to protect your personal data;
  • the transfer complies with any applicable cross border transfer restrictions and suitable safeguards have been put in place; and
  • a fully executed written contract that contains suitable obligations and protections has been entered into between the parties.

For more information on the safeguards used by BBRS and CEDR when transferring personal data to third parties, please contact us using the contact details below.

10 Your rights

You have certain rights in relation to the personal data we and CEDR process and hold about you. These include:

  • Right to rectification: you have the right to require us to correct any inaccuracies in your personal data.
  • Right to erasure: you have the right to require us to delete your personal data, subject to certain legal requirements.
  • Right to restriction of processing: you have the right to require us to restrict the way in which we process your personal data. You may wish to restrict processing if, for example:
    • you contest the accuracy of the data and wish to have it corrected;
    • you object to processing but we are required to retain the data for reasons of public interest; or
    • if you would prefer restriction to erasure.
  • Right to data portability: you have the right to obtain from us easily and securely the personal data we hold on you for any purpose you see fit.
  • Right to object to processing: you have the right to require us to stop processing your personal data should you wish the data to be retained but no longer processed.
  • Right of access: you have the right to request access to personal data that we may process about you.
  • Right to withdraw consent: where you have previously consented to the processing of your personal data, you have the right at any time to withdraw that consent.

If you would like to exercise any of the above rights, please:

  • put your request in writing to or our postal address (above);
  • include proof of your identity (such as a copy of your driving licence or passport) and address (such as a recent utility or credit card bill); and
  • specify the right you wish to exercise.

We will respond to requests made by you within one month. We will not charge a fee for you to exercise any of the rights listed above.

If your request relates to CEDR, please contact

11 Cookies

For more information about the cookies used, please see the Cookies Policy.

12 Amendments to this Privacy Policy

No changes to this Privacy Policy are valid or have any effect unless agreed by us in writing. We reserve the right to vary this Privacy Policy from time to time. Our updated terms will be displayed on the Website. It is your responsibility to check this Privacy Policy from time to time to verify such variations.

13 Questions in relation to this Privacy Policy

You should also be aware that you have the right to raise any concerns in relation to how we process your personal data to the Information Commissioner’s Office (ICO).

We have appointed a data privacy lead (DPL) who is responsible for dealing with any such concerns, in addition to overseeing questions in relation to this Privacy Policy and handling requests in relation the exercise of your legal rights.

If you have any concerns, questions, or requests, please contact the DPL at

You may also contact CEDR’s DPL at