Privacy Notice

This is the privacy notice for the British Business Bank, which has been written in accordance with UK data protection laws – Data Protection Act 2018 and UK General Data Protection Regulation – to explain what personal data we process and why.

Date last updated: 15.06.2023

Topics covered in our Privacy Notice:

  1. Who we are
  2. Why we process Personal Data
  3. Automated decision making
  4. How we safeguard Personal Data
  5. How long we keep Personal Data
  6. Where we transfer Personal Data to
  7. Sharing Personal Data
  8. Marketing
  9. Confidential Information
  10. Data subject rights under data protection legislation
  11. Contacting us

1. Who we are

  1. 1.1 The British Business Bank plc (BBB, the Bank, we or us) is a government-owned business development bank dedicated with the aim to drive sustainable growth and prosperity across the UK, and to enable the transition to a net zero economy, by supporting access to finance for smaller businesses. Find our more about our objectives.
  2. 1.2 BBB is a public limited company owned by the UK Government; it is registered in England and Wales, registration number 08616013, at Steel City House, West Street, Sheffield, S1 2GQ. BBB is not a banking institution and does not operate as such and is not authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA).
  3. 1.3 BBB plc is also the holding company of the group operating under the trading name British Business Bank that consists of different entities, including the companies listed below. Find our more about our corporate structure.
  4. Organisation NameCompany No.
    British Patient Capital Holdings Ltd11270966
    British Business Investments Ltd09091930
    British Patient Capital Limited11271076
    British Business Financial Services Ltd09174621
    British Business Finance Ltd08616013
    The Start-Up Loans Company08117656
    British Business Aspire Holdco Ltd09091928
    Capital For Enterprise Limited06179047
  5. 1.4 We process Personal Data to help achieve our objectives and have registered BBB and its subsidiaries with the Information Commissioner on the Register of Fee Payers (reference no. ZA084015)
    1.5 This privacy notice covers the processing carried out by BBB and its subsidiaries except for those with specific privacy notices, which are accessible by clicking on the links below:
  1. 1.6 For the purposes of this privacy notice, the terms:
    • “BEIS and / or DBT” refers to the former Department for Business, Energy, and Industrial Strategy, which in February 2023 split into three departments including the Department for Business and Trade (DBT).
    • Beneficiaries of BBB programmes” means a third party, usually a Small or Medium Sized Enterprise (SME) or sole trader who has received funding via a BBB programme for their business.
    • Customers” means the individuals who contact us, for example, to make requests for information, sign up to our mailing list, or to make a complaint.  We are not a banking institution and therefore do not have account customers.
    • Delivery Partner” means any third party that delivers a BBB programme. Information about our Delivery Partners can be found on our website under the Programmes header.
    • “Personal Data” as defined in UK GDPR “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

2. Why we process Personal Data

    1. 2.1 The table below shows the Bank’s activities that process Personal Data, the types of Personal Data, the categories of data subject, and the lawful basis for processing

a. Information that you provide to us

No.PurposePersonal Data ProcessedLawful Basis
1Applying for a job or secondment, internship or being engaged as a contractoWe need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right.

Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening.

For some roles, for example: Non-Executive Directors and Executive Committee members, we also complete a directorship check.

If you become an employee, our employee privacy notice will then apply.
Art. 6(1)(b) performance of a contract

Art. 9(2)(b) and the Data Protection Act Schedule 1, Part 1(1) for special category data relating to our employment obligations


Art. 6(1)(e) public task

Art. 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information.

2Contacting us (enquiries, complaints)We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. Art. 6(1)(e) public task
3Requesting information under the Freedom of Information Act, or Data Protection ActWe need your name and contact details and details of the matter being raised, to be able to investigate and reply to you Art. 6(1)(c) legal obligation
4Attending an event or workshop, collecting your business contact details, taking photographs or video of youWe may need your name, organisation and contact details to book your place or attendance.

When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials.

We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8).

When we organise events, we may take photographs or video recordings at the venue. We will always tell you of our intention to create photos/videos, and give you the option to opt out of being photographed or filmed. These photos/videos may be used on the Bank’s webpage, social media channels or in printed/electronic reports we publish. These photos/videos may also be shared with and used by our official event partners.
Art. 6(1)(a) consent where the information you provide is optional

Art. 6(1)(e) public task to achieve our objectives

Art 6(1)(f) legitimate interests where we process photographs or videos’
5Responding to a survey or market researchWe usually need your name and contact details, especially if you want us to share the results.

Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc.
Art. 6(1)(a) consent where the information you provide is optional

Art. 6(1)(e) processing under public task to achieve our objectives

Art. 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, etc.
6Signing up to our newsletter and communicationsWe usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters.

You can unsubscribe at any time from any marketing (see Section 8).
Art. 6(1)(a) consent where the information you provide is optional
7Applying to be a Delivery Partner (see definition at 1.6)Most of our debt, equity and guarantee programmes are delivered to businesses through third party Delivery Partners (e.g. Enable Funding, Venture Capital, Regional Funds, and Covid-19 Loan Schemes, etc).

To become a Delivery Partner, you are required to express an interest and go through a selection and accreditation process.

We need as a minimum, information about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

We use the information provided to assess your application and carry out Due Diligence.

As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.
Art. 6(1)(e) processing under public task

Art. 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations
8Direct investmentWhen companies are in scope of a direct investment, we will carry out a due diligence and accreditation process.

We may process Personal Data about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

Following the completion of the investment, we shall continue to process information throughout the relationship.

We also collect information in respect of gender and diversity of portfolio companies.

We also manage legacy direct investments, where the shareholdings have transferred to us, and we will continue to process all the relevant information for the life of the investment.
Art. 6(1)(e) processing under public task

Art. 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
9Future Fund SchemeThe Future Fund Scheme is managed through an agreement between DBT and British Business Financial Services Limited.

We collect or obtain Personal Data from or about nominated business contacts under the Future Fund Scheme.

Under the Scheme, applications from an individual may provide information (including Personal Data) on behalf of other related individuals e.g., lead investor or nominated business contacts on behalf of syndicate members or a Chief Financial Officer acting on behalf of a business management team, solicitors, directors, shareholders, etc. The information includes names, signatures, addresses, contact details, proof of identity, as well as financial information.

We will ask the individual providing the information to confirm they have the agreement of the others to do so.

We have contracted with external auditors to carry out due diligence on the applications, investee companies and investors, to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

The Personal Data is processed for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for report to the UK Government, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

As part of its commitment to signing HM Treasury’s Investing in Women Code, the Future Fund will supply HM Treasury with statistics on founder gender.

We also ask for and publish diversity information about the companies that have obtained investment.

We will continue to process information throughout our relationship with the company i.e., for the period whilst the loan is outstanding or holds shares in the capital of the company.

We will share Future Fund information with DBT and other third parties where appropriate, see Section 7.

We will share Future Fund information with debt collection agencies to establish and exercise our contractual rights and to recover debts on our behalf.

We will also publish the names of the companies that convert the Future Fund loan into equity and / or go into administration
Art. 6(1)(e) processing under public task

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
10Providing details for case studiesWe need your name and contact details to develop the case study about your/your company’s experience.Art. 6(1)(a) consent
11Finance Hub interactive tool and newsletterThe Finance Hub provides an online 6 step interactive tool for you to enter information about your business to help find what finance options are available (region, sector, amount, reason for finance, profit and assets).

The information entered is not personal data nor is it captured by the Bank; however, you can subscribe to the Finance Hub newsletter if you want to receive information about our latest guides, events and case studies, to support your business.

When you subscribe, you will provide your name and email address, which will be added to our database / contacts lists, so as to send the newsletters.

You can unsubscribe at any time (see Section 8).
Art. 6(1)(a) consent
12AlertsWe advertise our current vacancies on our website, but you can sign up to receive job alerts when the vacancies are published.

To receive the alerts, you will need to create an account on our online recruitment portal, which is provided by Access UK Ltd, which means we need to process your name and email address.

We rely on your consent to process your personal data and you can withdraw your consent and / or change the job alert settings or delete your account at any time. We will ask you to refresh your consent after 12 months and if you do not re-affirm, your account will be disabled and then deleted.

The recruitment portal can also be used to apply for a vacancy.
Art. 6(1)(a) consent

b. Information we collect or obtain for or through our programmes

NoPurposePersonal Data ProcessedLawful Basis
1Enable Guarantee and Enable FundingThe Enable Guarantee and Enable Funding programme is managed by British Business Financial Services Limited on behalf of DBT.

We engage Delivery Partners to deliver the programmes.

Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

We will continue to process information throughout our relationship with the Delivery Partner.
Art. 6(1)(e) processing under public task
2Enterprise Finance Guarantee (EFG) The Enterprise Finance Guarantee programme is managed by British Business Financial Services Limited on behalf of DBT.

Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

Delivery Partners collect information from the successful EFG loan applications for the purpose of managing the scheme and assessing its take up, effectiveness, and losses.

The Personal Data processed includes: borrowing company name, trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

We will continue to process information throughout our relationship with the Delivery Partner.
Art. 6(1)(e) processing under public task
3Regional FundsThe Regional Funds are managed by British Business Financial Services Limited on behalf of DBT.

We manage three regional funds acting as the Fund of Fund Managers: Northern Powerhouse Investment Fund, Midlands Engine Investment Fund, and Cornwall and Islands of Scilly Investment Fund.

The Funds are delivered to businesses through a network of Fund Managers, which were appointed through a tender exercise.

We process Personal Data of the fund managers, which are corporate entities. As part of the tender process, Due Diligence was carried out ‘Applying to be a Delivery Partner process’ (see Section 1.6).

We will continue to process information throughout our relationship with the Fund Managers, which will include the name and email addresses for the Fund Managers.

We also collect information in respect of gender and diversity of fund managers and investee companies.
Art. 6(1)(e) processing under public task

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
4Venture Solutions We engage Fund Managers to invest venture capital into small and medium sized enterprises (e.g. Enterprise Capital Funds Programme).

Fund Managers apply to be a Delivery Partner and will provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

We will continue to process information throughout our relationship with the Fund Manager.

We also collect information in respect of gender and diversity of fund managers and investee companies.
Art. 6(1)(e) processing under public task

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
5Covid-19 loan schemes The Covid loans are delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

We collect information from our Delivery Partners in respect of the Coronavirus Business Interruption Loan Scheme (CBILS), Coronavirus Large Business Interruption Loan Scheme (CLBILS), and the Bounce Back Loan Scheme (BBLS) for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

Delivery Partners must provide us with a subset of the loan application information from every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

Delivery Partners will also provide information in respect of business interruption payments and the status of the loans and PricewaterhouseCoopers was contracted to provide operational support to the loan schemes.

We will share loan data with DBT, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates, Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and DBT) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses.

We contracted with PricewaterhouseCoopers and other third parties to carry out data analytics for estimated credit losses or potential fraud, which will involve the processing of Personal Data.

As part of the Bounce Back Loan Scheme application process, the Bank commissioned Cifas to create and host a database to enable Delivery Partners to check for duplicate applications and update the status of a loan application to help prevent fraud. Cifas is a not-for-profit fraud prevention service that aims to detect, deter, and prevent fraud.

Additional public body or law enforcement information is added to the Cifas duplicate account database where it is deemed appropriate for counter-fraud purposes. The Bank will share the Cifas data with government departments and law enforcement agencies to help prevent and detect crime and apprehend and prosecute offenders and carry out, where appropriate fraud analytics (see sections 7.5 and 7.7).

Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).
Art. 6(1)(e) processing under public task

Art. 6(1)(c) reporting to the European Commission
6Covid-19 Recovery Loan SchemeThe Recovery Loan Scheme is delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

We collect information from our Delivery Partners in respect of the Scheme for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

Delivery Partners must provide us with a subset of the loan application information from every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

Delivery Partners will also provide information in respect of the status of the loans and we contracted PricewaterhouseCoopers to provide operational support to the scheme.

We will share loan data with DBT, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and DBT) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses as well as data fraud analytics. (see Section 7.5 and 7.7).

Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).
Art. 6(1)(e) public task

Art. 6(1)(c) reporting state aid to the European Commission and/ or to the UK Government
7Investing in Women CodeBBB is committed to the Investing in Women Code and the Rose Review to support the advancement of female entrepreneurship.

BBB support the Code by hosting the online form that organisations use to apply to commit to the Code. The online form captures the personal data of the organisation’s representative who will act as a lead contact. The personal data includes the contact’s name, job title, email address and telephone number as well as the name and address of the organisation they represent.

The details submitted via the online form are given to DBT who administer the Code and their privacy notice is available at https://www.great.gov.uk/privacy-and-cookies/.

DBT shares information with BBB and the Code’s take up to help analyse trends in lending and investments to women entrepreneurs, but the information is aggregated and does not identify any individuals.
Art. 6(1)(e) public task
8LIFTSThe Long-term Investment for Technology and Science (LIFTS) is a crowd-in initiative for institutional investors to science and technology companies.
Investors will express their interest and provide information about their institution / company including contact names, email addresses, etc. If an application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).
We will continue to process information throughout the relationship with the Investor.
Art. 6(1)(e) processing under public task


c. General Business Activities

No.PurposePersonal Data ProcessedLawful Basis
1Business ImprovementsWe may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes.

The Personal Data processed will vary according to the specific activity, but will always be the minimum necessary.
Art. 6(1)(c) processing under legal obligation

Art. 6(1)(e) processing under public task
2Business Management & OperationsWe process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors and suppliers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions.

The Personal Data processed will vary according to the specific activity, but will be the minimum necessary.
Art. 6(1)(c) processing under legal obligation

Art. 6(1)(e) processing under public task
3Cookies and website We collect details of your visits to our websites and the resources that you access (which may include, amongst other things; traffic data and communication data) for the purpose of improving our website performance, system administration and to evaluate use of our websites.

The British Business Bank website is the parent website, but we also have websites for

British Business Investments
British Patient Capital
The Start-Up Loans Company
The Finance Hub
Recruitment Portal
Future Fund
Northern Powerhouse Investment Fund
Midlands Engine Investment Fund
Cornwall & Isles of Scilly Investment Fund

We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policies.
Art. 6(1)(a) consent for the cookies that are not strictly necessary
4Market ResearchWe may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality.

We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results.

On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation.
Art. 6(1)(f) processing is in our legitimate interests
5Data Analysis / VisualisationWe analyse the data we hold to report on performance, forecast trends, and help inform our decision making.

The analysis will include personal data, for example when processing the data held about the loan and investment schemes and programmes, for example the names and registered addresses of sole traders, limited partnerships, fund managers, but also unique reference numbers such as company reference number that may allow persons associated with the company to be identified.

We also process special category data to help us understand the gender and ethnicity make up of our fund managers and delivery partners and improve our approach to Environmental, Social and Governance.

We aim to use the minimum personal data necessary in our analysis and, where possible, report aggregated data.

We also import data from Companies House and Office for National Statistics (ONS) for the purpose of enriching the information we have about the beneficiary companies supported through the various debt/equity and guarantee funds. This data includes personal data in the form of sole trader names and registered addresses. The use of Companies House allows us to identify incorporation date and company status. The use of ONS data and beneficiary company postcode allows us to identify the corresponding Region, District, Constituency and Electoral ward which is then used to represent geospatial demographics.
Art. 6(1)(e) processing under public task

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data
6CCTV CamerasWe have CCTV cameras in the Sheffield and London office areas, primarily access points, such as the entrances and exits to the premises and in certain restricted areas.

The cameras process the images of individuals (no audio recordings).

Signs are displayed prominently around the sites to inform staff and visitors that CCTV cameras are in operation and who to contact for further information.

The cameras are in place for the personal safety of our staff and visitors to our sites, to assist in identifying, apprehending, and prosecuting any offenders on Company premises, to protect the Company’s buildings and assets and those of its staff from intrusion, theft, vandalism, damage, or disruption, and may also be used to assist in grievances, formal complaints and investigations, and for the defence of the Bank or its colleagues with regards to legal or insurance claims

CCTV recordings are held for 30 days before being automatically overwritten.
Art. 6(1)(f) processing is in our legitimate interests

3. Automated decision making

We do not currently make any automated decisions about individuals.  It is possible; however, an automated decision or profiling may occur with cookie and other similar technology that are enabled our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (see Section 11 for contact details).

4. How we safeguard personal data

4.1 We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.

4.2 We have extensive controls in place to maintain the security of our information and information systems, which include encryption, information classification, anonymisation, and pseudonymisation.  Client files are protected with safeguards according to the sensitivity of the relevant information and access controls are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees.

4.3 The Bank’s employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.

4.4 When you contact us about a matter, you may be asked for some Personal Data, to help us verify your identity and entitlement to the Personal Data we hold.

5. How long we keep personal data

5.1 We keep Personal Data for as long as necessary for the purpose for which it is processed.  We typically keep information for a minimum of six  years from the last action (e.g. file closure, contract end, etc.), but in the case of State aid programmes (i.e. Covid-19 loan schemes), information is expected to be kept for a minimum of 10 years.

6. Where we transfer personal data to

6.1 Personal data is predominantly stored in the UK or the European Union; however, where we process Personal Data elsewhere we shall ensure it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or appropriate safeguards (i.e. International Data Transfer Agreements).

7. Sharing personal data

7.1 We may share your Personal Data within the Bank and its subsidiaries for the purposes described above.

7.2 We may share your Personal Data with Government departments, public-sector bodies and other associated Partner organisations for the purpose of scheme administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, DBT, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.

7.3 We may also share your Personal Data with our Delivery Partners for the purpose of delivering our programmes.  Our website provides details of our programmes and key delivery partners.

7.4 We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to)  HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.

7.5 We may also share Personal Data with law enforcement or other government officials to help prevent or detect crime or apprehend or prosecute offenders; when we believe disclosure is necessary to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues or stakeholders as required or permitted by law; to establish, exercise or defend our legal rights; or in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.

7.6 Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements.  Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; debt collection etc. A list of our key contracted providers is available on Contracts Finder.

7.7 We will also share data from the Covid-19 loan schemes and the Future Fund Scheme (and any other of our programmes, where appropriate to do so) with BEIS, other government departments, law enforcement agencies, regulatory bodies and other relevant stakeholders for the prevention and detection of crime, in particular fraud, to investigate specific cases as well as to enable data analytics to attempt to discover possible or as yet undetected fraudulent or other criminal behaviour, patterns or trends against public authorities and public money (i.e. Section 56 of the Digital Economy Act 2017, Section 68 of the Serious Crime Act 2007).

7.8 Where legally required, we will share information relating to individual Covid-19 loans (which may include amongst other details the identity of the borrowers and size of loan) with the European Commission under the State aid Temporary Framework and the approval for the ‘Covid-19 Temporary Framework for UK Authorities’. The European Commission will make this information publicly available on its State aid transparency public search website. For each of the Bounce Back Loan Scheme, the Coronavirus Business Interruption Loan Scheme and the Coronavirus Large Business Interruption Loan Scheme, there is a requirement to report and publish information on individual aid exceeding €100,000, or exceeding €10,000 if the Borrower operates in the agriculture or fisheries sectors. Please note, the ‘aid amount’ includes the loan, the fees and interest payments the Government has paid on behalf of the borrower for the first 12 months of the loan.

7.9 Where legally required, we will also share information relating to individual Covid-19 loans (which may include amongst other details the identity of the borrowers and size of loan) on the UK’s public transparency database to enable compliance with the UK’s international subsidy reporting requirements with regards to the UK-EU Trade and Co-operation Agreement, World Trade Organization Agreement on Subsidies and Countervailing Measures and other Free Trade Agreements.

8. Marketing

8.1 We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:

  • If you are an existing customer or have taken steps to become a customer by using the Websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
  • If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.

8.2 We will not pass your Personal Data to third parties for their marketing purposes.

8.3 We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.

8.4 If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.

9. Confidential information

9.1 We are a public body and subject to the Freedom of Information Act 2000 (FOIA). The FOIA provides people the right to request access to recorded information and we are obliged to disclose the information unless an FOIA exemption applies. Section 40 of the FOIA provides an exemption to the disclosure of personal data and, although it is not absolute, the exemption applies where the disclosure would contravene data protection.

10. Data Subject rights under Data Protection Legislation

10.1 Data protection provides rights to data subjects; these rights are listed below and you can exercise them by contacting us using the details in Section 11.

TermExplanation
ConsentIf we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time,  and expect us to carry out your wishes promptly.
The right of accessThe right to request access to the Personal Data we hold about you, subject to exceptions.
The right to objectWhere you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so.
The right of data portabilityIn some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.
The right to rectificationThe right to correct any errors in Personal Data we hold about you, and to change or correct any details you have already given us. It is important that any contact data you provide is kept accurate and up to date so that we can contact you should we need to.
The right to erasureThe right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it.
The right to restrict processingThe right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request.
Automated decision making and profilingThe right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters. The right to object to profiling in certain situations, for example direct marketing.

10.2 Data protection rights are not always absolute and where we cannot fulfil the request, we will explain why. For general information about data rights, see the Information Commissioner’s website at ico.org.uk/your-data-matters

11. How to contact us

11.1 If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at DataProtection@british-business-bank.co.uk or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.

11.2 If, after speaking to us regarding any of the ways we use your Personal Data, you wish to make a complaint, you can do so by contacting the Information Commissioner’s Office: www.ico.org or telephone 0303 123 1113.