Privacy Notice for OakNorth Business Bank Account Holders
Last updated 16th April 2024
1. Introduction
At OakNorth Bank, we understand the importance of your privacy and its important to us that we respect this by protecting your data where we collect and process it. This Privacy Notice explains how we collect, use, disclose, and protect your personal information as part of providing our services.
2. What Information We Collect
We collect personal information that you provide directly to us when you open an account. This includes your name, contact details, date of birth, financial information, and identification documents (including your image). We do collect special category personal data (this is personal data that is considered higher risk), this is biometric data collected during our onboarding process to match your identity document to your ‘selfie’ for which we use a third party (Mitek) to run a biometric process to match the images. Where we collect and process this type of personal data, we apply higher levels of control around how we process and store it. We also collect data about you when you process payments
The types of data we collect and what we do with it are detailed in Section 5). We also source some data from third party providers such as credit reference and fraud prevention/risk management agencies (these are further detailed in section 7).
3. How We Collect Information
We collect information from you directly when you fill out forms for our services, through our website or mobile application, when you process payments through the app or website or when you contact us with inquiries. As mentioned, we also use what you provide us to source data from some third parties.
4. Why We Collect Information
We collect and process your personal information to provide you with our banking services, manage your account, verify your identity, comply with legal obligations, detect and prevent fraud, and improve our services. To do this, we may verify the information supplied by you from the records of fraud prevention and risk management agencies. We undertake biometric processing using Mitek to automatically confirm your identity; if we cannot do this may ask you to provide physical forms of identity verification. We may search credit reference agencies in assessing your application (to do this we currently use Experian and Synetics). They also gives us other details and information from the Electoral Register and Home Office UK resident status register to help us verify your identity and status. The credit reference agency keeps a record of our search, and whether your application proceeds. Our search is not seen or used by lenders to assess your ability to obtain credit and so does not impact your credit score. You should notify us of any change in your name, your home address, your email address, or your telephone number. Details of how Experian collect and process your data for this purpose can be found at the following link Credit Reference Agency Information Notice (CRAIN) | Experian
5. How We Use Your Information
We use your personal information to manage your account, process transactions, communicate with you about your account, provide customer service, and comply with legal and regulatory requirements. A summary of what we collect and how we use it is below; along with the grounds on which we process it
| Category of Personal Data | Purpose for Processing/How we use your data. | Processing Grounds |
| Contact information
Transactional information Identity information Historical address information Tax residency information Security information Employment status information Online identifier information Risk and/or fraud information Online Identifier Information |
Account opening, operating, maintaining, administering and closing your account(s) and/or our business. | Contract |
| Providing you with the services and products you have requested | Contract | |
| Preventing or detecting money laundering, fraud or any other illegal activity, carrying out electronic verification checks, and Politically Exposed Person, financial crime and Sanctions checks | Legal obligation | |
| Contact information
Transactional information Identity information Historical address information Tax residency information Employment status information online identifier information Risk and/or fraud information Health Information Executor/Administrator Information Power of Attorney Information |
Internal reporting (for business operation purposes) and external reporting (for compliance with any legal and/or regulatory obligations) | Legitimate interest/
Legal obligation |
| Our confidential research and analysis to improve our products or services; (including identification of broad customer types/segments and customer surveys that are anonymised and not used for marketing). | Legitimate interest | |
| Complying with any other legal and/or regulatory requirements including legitimate requests for information from law enforcement or regulatory bodies/agencies | Legal obligation | |
| Contact information
Transactional information Identity information Historical address information Tax residency information Security information Risk and/or fraud information Health Information Estate Executor/Administrator Information Power of Attorney Information |
Responding to your queries and communicating with you about your account(s) and the services you have received | Contract |
| Contact information
Transactional information Identity information Historical address information Tax residency information Employment status information Risk and/or fraud information |
General record keeping requirements as stipulated by laws, regulations, and/or Regulatory Authorities (e.g. Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)) | Legal obligation |
| Contact information
Transactional information Identity information Tax residency information Employment status information Online identifier information |
Developing the products and services we provide and notifying you of these developments that can affect you by sending you non-marketing communications to ensure you are informed of how developments to products and services may impact you | Legitimate interest |
| Contact information | Marketing purposes, including marketing newsletter emails (which you can opt out from at any time, via unsubscribe links or by contacting [email protected]) | Legitimate interest |
| Transactional Information
Payee/Payer Name and Account |
Enabling payments to and from your account.
Preventing and detecting money laundering and fraud. |
Contractual
Legal Obligation |
The personal data collected from you, or which we have received from third parties like the credit reference agencies may include the following data types:
| Information Obtained Directly from You | |||
| Category of Personal Data | Source | Requirement | Consequence of Failure to Provide |
| Contact Information
Identity Information Historical Address Information Tax Residency Information |
You | Statutory | It would not be possible to complete an application for the requested product and/or service. |
| Security Information
Employment Status Information |
You | Contractual | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Historical Address Information Estate Executor/Administrator Information |
Her Majesty’s Courts and Tribunals Service | Contractual | It would not be possible to complete the required bereavement processes. |
| Contact Information
Identity Information Historical Address Information Health Information Power of Attorney Information |
UK Government Lasting Power of Attorney Service | Contractual | The process to complete an application for the requested product and/or service via Power of Attorney (if required) would have to be completed manually and may cause a delay in the processing of your application. |
| Information Obtained from Other Sources | |||
| Category of Personal Data | Source | Requirement | Consequence of Not Evaluating |
| Contact Information
Identity Information Historical Address Information Risk and/or Fraud Information |
Credit Reference Agencies | Contractual | The identity verification process would have to be completed manually and may cause a delay in the processing of your application. |
| Fraud Prevention Agencies | Statutory | It would not be possible to complete an application for the requested product and/or service. | |
| Contact Information
Identity Information Historical Address Information Employment Status Information Risk and/or Fraud Information |
Risk Management Agencies | Statutory | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Employment Status Information Directorship Information Shareholding Information |
Companies House | Contractual | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Historical Address Information Estate Executor/Administrator Information |
Your Executor(s)/Administrators(s) of your Estate | Contractual | In the unfortunate event of your death, it would not be possible to complete the Bereavement Process. |
| Contact Information
Identity Information Historical Address Information Health Information Power of Attorney Information |
Your Attorney/Deputy | Contractual | The process to complete an application for the requested product and/or service via Power of Attorney (if required) would have to be completed manually and may cause a delay in the processing of your application |
| Glossary of Categories of Personal Data | |
| Category of Personal Data | Included Information |
| Contact Information | Postal address, email address, telephone number(s) |
| Identity Information | Title, name, nationality, gender, age, photograph, signature, electoral roll data, passport, ‘selfie’ |
| Historical Address Information | Minimum three years of address history |
| Employment Status Information | Director, Employed, self-employed, student, retired, other |
| Transactional Information | All deposits, withdrawals, and payment history of your OakNorth account(s) |
| Tax Residency Information | National insurance number, foreign tax identification number(s), citizenship(s) |
| Estate Executor/Administrator Information | Death certificate, death certificate verification form, coroner’s fact of death certificate, will, grant of probate, certificate of confirmation, letter of administration, grant of representation, inheritance tax form, letter from permitted regulated entity confirming executors/administrators of estate, additional permitted prescription forms |
| Health Information | Patient data, prescriptions, medical expenses |
| Power of Attorney Information | Lasting power of attorney (LPA), enduring power of attorney (EPA), Court of Protection/Deputyship, LPA code |
| Risk and/or Fraud Information | Information held by Fraud Prevention and Risk Management Agencies which may include information about your identity, activities, credit information, allegations or criminal convictions |
| Security Information | Security questions and answers, banking login credentials |
| Online Identifier Information | Device IP address and App login |
| Directorship Information | Directorship role of business |
| Shareholding Information | Beneficial ownership of business |
| Payee/Payer Account Information | This is the information provided by you or your payer when initiating a payment |
6. Sourcing, Sharing and Disclosure of Information
We do not share your data with third parties for marketing purposes however we may share your personal information with third-party service providers, regulators, and law enforcement agencies to comply with legal obligations such as for the purposes of fraud prevention. We may also share your data with third parties to enable us to fulfil our contractual obligations, where we share you data we will always ensure proper control are in place over the processing and transfer of your data.
As we highlighted in Section 4, we sometimes obtain information about you from third party sources. The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. For further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, please contact Synetics, Experian, Cifas, National Hunter, Refinitiv, Comply Advantage or Dow Jones. You need to visit these providers websites in order to make a Data Subject Access Request to see the information which is recorded against your name and address. We accept no responsibility or liability for the actions of any such agencies which act as separate and independent controllers any information which is controlled by them and used for the purpose of fraud prevention/credit checks are not governed by our Privacy Notice.
7. Data Retention
We store your personal data, which includes details you provide on the application form or through a Partner. This data includes your identification details, product data, email communications, and transaction information. We store this data on paper, computers, and other electronic devices. We keep these details for six years after your last active account has been closed. This is done to meet legal and regulatory requirements, which include fraud prevention, crime investigation, and complaints procedures. It also helps us keep track of past conversations and maintain a record of account history. This makes opening new accounts in the future easier for you.
We also store records in line with our retention policy and legal and regulatory requirements, which can be up to six years after you last closed an account. This includes system backups for disaster recovery purposes.
We may monitor or record calls, emails, text messages, or other communications in line with applicable laws. This is done for reasons such as quality control, training, preventing unauthorized use of our systems and website, ensuring systems work effectively, preventing or detecting crime, and protecting confidential bank information, including personal data of account users. Call recordings may be kept for six months or up to three years if they’re part of a complaint.
At times, we might use third-party processors to help with confidential research, like customer surveys. But don’t worry, this data is anonymized and not used for marketing purposes.
If you use our website to complete forms we will ask for your consent to the use of cookies, these are not used in our transaction banking application. You can view our Cookie Policy here.
8. Data Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption and access controls to personal data.
Your security is our highest priority. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This involves a series of precautions designed to safeguard your personal information and to prevent unauthorized access, use, or disclosure.
Our security measures include:
Encryption: All data that is transmitted between your device and our systems, as well as data at rest, is encrypted. This means that even if someone were able to intercept the data, they wouldn’t be able to read it. Encryption adds a protective layer by converting your information into an unreadable format.
Access Controls: We have strict access controls in place for personal data. Only authorized personnel who have a legitimate business need to access your personal data can do so. Each of our employees has unique login information and their access to data is tracked and controlled.
Regular Audits: We regularly review and update our security policies and controls. These audits help us identify and fix any vulnerabilities or weaknesses in our system.
Employee Training: Our staff members are regularly trained on how to handle sensitive data and are fully informed about the confidentiality of such information. They’re made aware of their obligations in terms of data protection and data security.
Working with Trusted Partners: When we work with third-party service providers, we ensure they also follow strong security practices. We carefully choose our partners and require them to comply with our high standards of data security.
Incident Response Plan: In the unlikely event of a security breach, we have a robust incident response plan in place to quickly identify, respond, and mitigate the impact of the breach. This includes notifying affected individuals and relevant authorities in line with legal and regulatory requirements.
9. International Data Transfers
We will take appropriate security measures to ensure that your personal data is protected and secured in accordance with the relevant data protection laws and regulations, including the General Data Protection Regulation (GDPR). We will only disclose information about you to third-party data processors who shall process your personal data on our behalf. We may also disclose information about you to credit reference, fraud prevention, and risk management agencies, or if we are required by law or regulation to do so. We shall ensure that our data processors shall process your data based on our instructions and have appropriate data security measures to protect personal data.
In some cases, we may need to transfer your information to third parties overseas including our affiliate entity: OakNorth Global Private Limited in India, i.e. outside the UK or European Economic Area. However, we will ensure that adequate procedures and safeguards such as the Data Transfer Risk Assessments or European Commission Model Contract Clauses (as amended for UK GDPR) as an example, are in place to protect your personal data at all times and that the affiliate and the third parties are contractually obligated to provide an adequate level of data protection in accordance with the UK data protection laws and regulations.
The UK government has and is agreeing to inter-governmental agreements to share tax information. We ask for details of your tax residency and in some cases tax reference numbers to enable us to comply with the related UK legislation. If you are a US person (US passport or US Born or US Registered address or US Taxpayer) we may be obliged to provide any required details about you and your account(s) with us to comply with the Foreign Account Tax Compliance Act (FATCA).
If we believe that we have tax obligations in other countries, we may disclose information about the bank directly to those tax authorities or to HM Revenue & Customs, who may share that information with other tax authorities. We may disclose information we hold about you directly to those tax authorities or to HM Revenue & Customs, who may also share that information with other tax authorities.
10. Your Rights and Choices
You have rights under data protection laws (UK GDPR) in relation to your personal data. These include for example the right to request access, correction, or deletion of your personal data. These rights are detailed below:
The right to be informed
The right to be informed encompasses our obligation to provide ‘fair processing information’ through a privacy notice. It emphasises the need for transparency over how we use personal data.
The right of access
You have the right to access your personal data and supplementary information. The right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. The right of access allows you to submit a Data Subject Access Request (DSAR) for a copy of the personal data that we hold about you.
The right to rectification
The GDPR gives you the right to have personal data rectified if it is inaccurate or incomplete.
The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances, such as:
The right to restrict processing
You have the right to ‘block’ or suppress processing of personal data, which will make it restricted, and permit us to store the personal data, but not to further process it. We would retain just enough information about you to ensure that the restriction is respected in future. We will be required to restrict the processing of your personal data in the following circumstances:
We must inform you when we decide to lift a restriction on processing.
The right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies to personal data you provided to us, where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means.
The right to object
You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. You must have an objection on “grounds relating to your particular situation” if processing is based on performance of a legal task, our legitimate interests, or research purposes.
The right in relation to automated decision making and profiling
Article 22 of the GDPR has additional rules to protect you if we are carrying out solely automated decision-making that has legal or similarly significant effects on you. We will only carry out this type of decision-making where the decision is: necessary for the entry into or performance of a contract, authorised by Union or UK law applicable to us, or based on your explicit consent.
Your personal data is protected by legal rights (where applicable), and may include:
If you have a complaint about how we have used your information, you should contact our Business Desk using the contact details above so that we can assist you in dealing with your complaint, however, you also have the right to complain to the Information Commissioner’s Office (ICO), which regulates the processing of personal data. Information on how to report a complaint to the ICO can be found on their website: www.ico.org.uk or by calling them on 0303 123 1113.
For more information or to exercise your data protection rights, please contact our DPO or the Business Desk using the contact details below.
11. Updates to This Privacy Notice
We may update this Privacy Notice from time to time. Any changes will be posted on this page, and if significant changes are made, we will notify you directly. This Privacy Notice was last updated 28th June 2023.
12. Contact Information
If you have any questions or concerns about this Privacy Notice or our data practices, please contact our Data Protection Officer by emailing: [email protected]
You can contact our Business Desk:
By writing:
OakNorth Bank plc
Ship Canal House
98 King Street
Manchester
M2 4WU
By calling:
+44 (0) 330 380 1181
By emailing:
This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
TPL is committed to safeguarding the privacy of your information. By “your data”, “your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.
We may change this Policy from time to time. For more information see: Changes to our Privacy Policy.
Who are we?
Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.
OakNorth Bank PLC is the Program Manager for your card program and is the Data Controller for any personal data which you provide which is not related to the card. OakNorth Bank PLC is incorporated and registered in England and Wales with company number 08595042 and registered office is at 3rd Floor, 57, Broadwick Street, Soho, London, England, W1F 9QS.
How do we collect your personal data?
We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We may also process information from Program Manager, other third party payment partners and service providers. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. When we process your personal data we rely on legal bases in accordance with data protection law and this privacy policy. For more information see: On what legal basis do we process your personal data?
On what legal basis do we process your personal data?
Contract
Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, or at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.
Legal/Regulatory
We may also process your personal data to comply with our legal or regulatory obligations.
Legitimate Interests
We, or a third party, may have a legitimate interest to process your personal data, for example, to analyse and improve the security of our business.
What type of personal data is collected from you?
When you apply for a card, we, or our partners or service providers, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.
When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account.
How is your personal data used?
We use your personal data to:
– set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.
– maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.
– comply with our regulatory requirements, including anti-money laundering obligations.
– improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.
Who do we share your information with?
When we use third party service partners, we have a contract in place that requires them to keep your information secure and confidential.
We may receive and pass your information to the following categories of entity:
Sending personal data overseas
To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK/Gibraltar e.g.:
These transfers are subject to special rules under Gibraltar data protection law.
These countries do not have the same data protection laws as Gibraltar. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the Gibraltar Government has made a ruling of adequacy, meaning that they have ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about adequacy regulations here and here.
Where we send your data to a country where no adequacy decision has been made, our standard practice is to use standard data protection contract clauses that have been approved by the United Kingdom government and/or the European Commission. You can obtain a copy of the European Commission’s document here and the UK’s document here.
If you would like further information, please contact our Data Protection Officer on the details below.
How long do we store your personal data?
We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any applicable legislation or changes to this require us to retain your data for a longer or shorter period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.
Your rights regarding your personal data?
You have certain rights regarding the personal data which we process:
How is your information protected?
We recognise the importance of protecting and managing your personal data. Any personal data we process will be treated with appropriate care and security.
These are some of the security measures we have in place:
While we take all reasonable steps to ensure that your personal data will be kept secure from unauthorised access, we cannot guarantee it will be secure during transmission by you to the applicable mobile app, website or other services over the internet. However, once we receive your information, we make appropriate efforts to ensure its security on our systems.
Complaints
We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:
Gibraltar Regulatory Authority,
2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.
(+350) 20074636/(+350) 20072166 [email protected]
Other websites
Our website may contain links to other websites. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
Changes to our Privacy Policy
We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was last updated on 14 March 2024.
How to contact us
If you have any questions about our Privacy Policy or the personal information which we hold about you or, please send an email to our Data Protection Officer at [email protected].