Privacy Notice

This is the privacy notice for the British Business Bank plc, which has been written in accordance with UK data protection laws to explain what personal data we process and why.

Date last updated: 13 September 2024

1. Who we are

1.1 The British Business Bank plc (BBB, the Bank, we or us) is a government-owned business development bank dedicated with the aim to drive sustainable growth and prosperity across the UK, and to enable the transition to a net zero economy, by supporting access to finance for smaller businesses. Find out more about our objectives.

1.2 BBB is a public limited company owned by the UK Government; it is registered in England and Wales, registration number 08616013, at Steel City House, West Street, Sheffield, S1 2GQ. BBB is not a banking institution and does not operate as such and is not authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA).

1.3 BBB plc is also the holding company of the group operating under the trading name British Business Bank that consists of different entities, including the companies listed below, and also available on our legal corporate structure chat.

Organisation NameCompany No.
British Patient Capital Holdings Ltd11270966
British Business Investments Ltd09091930
British Patient Capital Limited11271076
British Business Financial Services Ltd09174621
British Business Finance Ltd08616013
The Start-Up Loans Company08117656
British Business Aspire Holdco Ltd09091928
Capital For Enterprise Limited06179047

1.4 We process Personal Data to help achieve our objectives and have registered BBB and its subsidiaries with the Information Commissioner on the Register of Fee Payers (reference no. ZA084015).

1.5 This privacy notice covers the processing carried out by BBB and its subsidiaries except for those with specific privacy notices, which are accessible by clicking on the links below:

1.6 For the purposes of this privacy notice, the terms:

  • DBT” refers to the Department for Business and Trade (DBT).
  • Beneficiaries of BBB programmes” means a third party, usually a Small or Medium Sized Enterprise (SME) or sole trader who has received funding via a BBB programme for their business.
  • Customers” means the individuals who contact us, for example, to make requests for information, sign up to our mailing list, or to make a complaint. We are not a banking institution and therefore do not have account customers.
  • Delivery Partner” means any third party that delivers a BBB programme. Information about our Delivery Partners can be found on our website under the Programmes header.
  • Personal Data” as defined in UK GDPR “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

2. Why we process Personal Data

2.1 The table below shows the Bank’s activities that process Personal Data, the types of Personal Data, the categories of data subject, and the lawful basis for processing.

A. Information that you provide to us

No.PurposePersonal Data ProcessedLawful Basis
1Applying for a job or secondment, internship or being engaged as a contractor

We need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right.

Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening.

For some roles, for example: Non-Executive Directors and Executive Committee members, we also complete a directorship check.

If you become an employee, our employee privacy notice will then apply.

Data subjects: applicants

Art. 6(1)(b) performance of a contract

Art. 6(1)(e) to comply with legal obligations of the Equality Act 2010

Art. 9(2)(b) and the Data Protection Act Schedule 1, Part 1(1) for special category data relating to our employment obligations

Art. 6(1)(e) public task

Art. 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information.

2Contacting us (enquiries, complaints)

We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you.

Data subjects: applicants, delivery partners, loan recipients, business contacts, suppliers, general public

Art. 6(1)(e) public task
3Requesting information under the Freedom of Information Act, or Data Protection Act

We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you.

Data subjects: requestors

Art. 6(1)(c) legal obligation
4Attending an event or workshop, collecting your business contact details, taking photographs or video of you

We may need your name, organisation and contact details to book your place or attendance.

When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials.

We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8).

When we organise events, we may take photographs or video recordings at the venue. We will always tell you of our intention to create photos/videos, and give you the option to opt out of being photographed or filmed. These photos/videos may be used on the Bank’s webpage, social media channels or in printed/electronic reports we publish. These photos/videos may also be shared with and used by our official event partners.

Data subjects: business contacts, delivery partners, loan recipients, suppliers, fund managers, sole traders

Art. 6(1)(a) consent where the information you provide is optional.

Art. 6(1)(e) public task to achieve our objectives.

5Responding to a survey or market research

We usually need your name and contact details, especially if you want us to share the results.

Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc.

Data subjects: business contacts, delivery partners, loan recipients, fund managers, suppliers.

Art. 6(1)(a) consent where the information you provide is optional

Art. 6(1)(e) public task to achieve our objectives.

Art. 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, etc.

6Signing up to our newsletter and communications

We usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters.

You can unsubscribe at any time from any marketing (see Section 8).

Data subjects: business contacts, delivery partners, loan recipients, fund managers, suppliers, general public, sole traders

Art. 6(1)(a) consent where the information you provide is optional
7Providing details for case studies

We need your name and contact details to develop the case study about your/your company’s experience.

Data subjects: business contacts, delivery partners, loan recipients, investors, fund managers, suppliers, employees

Art. 6(1)(a) consent
8Finance Hub interactive tool and newsletter

The Finance Hub provides an online 6 step interactive tool for you to enter information about your business to help find what finance options are available (region, sector, amount, reason for finance, profit and assets).

The information entered is not personal data nor is it captured by the Bank; however, you can subscribe to the Finance Hub newsletter if you want to receive information about our latest guides, events and case studies, to support your business.

When you subscribe, you will provide your name and email address, which will be added to our database / contacts lists, so as to send the newsletters.

You can unsubscribe at any time (see Section 8).

Data subjects: businesses, sole traders, business contacts, prospective borrowers.

Art. 6(1)(a) consent

B. Information we collect or obtain for or through our programmes

No.PurposePersonal Data ProcessedLawful Basis
1Applying to be a Delivery Partner (see definition at 1.6)

Most of our debt, equity and guarantee programmes are delivered to businesses through third party Delivery Partners (e.g. Enable Funding, Venture Capital, Regional Funds, and Covid-19 Loan Schemes, the Recovery Loan Scheme, the Growth Guarantee Scheme etc.)

To become a Delivery Partner, you are required to express an interest and go through a selection and accreditation process.

We need as a minimum, information about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

We use the information provided to assess your application and carry out Due Diligence (see section 2b below).

Data subjects: prospective delivery partners, agents, fund managers

Art. 6(1)(e) public task

Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations

2Know Your Customer/ Due Diligence

Whilst we are not a regulated authority, we carry out due diligence.

As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism, and anti-money laundering measures.

Art. 6(1)(e) public task
3Enable Guarantee and Enable Funding

The Enable Guarantee and Enable Funding programme is managed by British Business Financial Services Limited on behalf of DBT.

We engage Delivery Partners to deliver the programmes.

Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see B1 above).

We will continue to process information throughout our relationship with the Delivery Partner. Data subjects: prospective delivery partners, agents, fund managers.

Art. 6(1)(e) public task
4Enterprise Finance Guarantee (EFG)

The Enterprise Finance Guarantee programme is managed by British Business Financial Services Limited on behalf of DBT.

Prospective Delivery Partners will express their interest and provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see B1 above).

Delivery Partners collect information from the successful EFG loan applications for the purpose of managing the scheme and assessing its take up, effectiveness, and losses.

The Personal Data processed includes: borrowing company name, trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

We will continue to process information throughout our relationship with the Delivery Partner. Data subjects: sole traders, partnerships.

Art. 6(1)(e) public task
5Regional Funds

The Regional Funds are managed by British Business Financial Services Limited on behalf of DBT.

We manage three regional funds acting as the Fund of Fund Managers: Northern Powerhouse Investment Fund, Midlands Engine Investment Fund, and Cornwall and Islands of Scilly Investment Fund.

The Funds are delivered to businesses through a network of Fund Managers, which were appointed through a tender exercise.

We process Personal Data of the fund managers, which are corporate entities. As part of the tender process, Due Diligence was carried out ‘Applying to be a Delivery Partner process’ (see B1 above).

We will continue to process information throughout our relationship with the Fund Managers, which will include the name and email addresses for the Fund Managers.

We also collect information in respect of gender and diversity of fund managers and investee companies. Data subjects: fund managers, sole traders, partnerships, business contacts.

Art. 6(1)(e) public task

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment.

6Venture Solutions

We engage Fund Managers to invest venture capital into small and medium sized enterprises (e.g. Enterprise Capital Funds Programme).

Fund Managers apply to be a Delivery Partner and will provide information about the company including contact names and email addresses. If the application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see B1 above).

We will continue to process information throughout our relationship with the Fund Manager.

We also collect information in respect of gender and diversity of fund managers and investee companies. Data subjects: fund managers, partnerships, business contacts, investees

Art. 6(1)(e public task

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

7Direct investment

When companies are in scope of a direct investment, we will carry out a due diligence and accreditation process.

We may process Personal Data about you and your company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

As part of the Due Diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

Following the completion of the investment, we shall continue to process information throughout the relationship.

We also collect information in respect of gender and diversity of portfolio companies.

We also manage legacy direct investments, where the shareholdings have transferred to us, and we will continue to process all the relevant information for the life of the investment. Data subjects: fund managers, sole traders, partnerships, business contacts, investees

Art. 6(1)(e) public taskArt. 6(1)(e) public task

Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

8Covid-19 loan schemes

The Covid loan schemes are delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

We collect information from our Delivery Partners in respect of the Coronavirus Business Interruption Loan Scheme (CBILS), Coronavirus Large Business Interruption Loan Scheme (CLBILS), and the Bounce Back Loan Scheme (BBLS) for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

Delivery Partners provide us with a subset of the loan application information of every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

Delivery Partners also provide information in respect of business interruption payments, repayments, and claims against the guarantee.

We share loan scheme data with DBT, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates, Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and DBT) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses.

We contracted with PricewaterhouseCoopers and other third parties to carry out data analytics for estimated credit losses or potential fraud, which will involve the processing of Personal Data.

As part of the Bounce Back Loan Scheme application process, the Bank commissioned Cifas to create and host a database to enable Delivery Partners to check for duplicate applications and update the status of a loan application to help prevent fraud. Cifas is a not-for-profit fraud prevention service that aims to detect, deter, and prevent fraud.

Additional public body or law enforcement information is added to the Cifas duplicate account database where it is deemed appropriate for counter-fraud purposes. The Bank will share the Cifas data with government departments and law enforcement agencies to help prevent and detect crime and apprehend and prosecute offenders and carry out, where appropriate fraud analytics (see sections 7.5 and 7.7).

Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).

Data subjects: sole traders, partnerships, business contacts, accredited lenders, loan recipients

Art. 6(1)(e) public task

Art. 6(1)(c) reporting to the European Commission

9Growth Guarantee Scheme (formerly the Recovery Loan Scheme)

On 1 July 2024, the Recovery Loan Scheme was extended and rebranded to the Growth Guarantee Scheme. The Growth Guarantee Scheme is delivered through one of the Bank’s subsidiaries: British Business Financial Services Limited.

We collect information from our Delivery Partners in respect of the Scheme for analytical and administrative purposes, for fraud prevention or in response to law enforcement requests, for reporting to the UK Government, European Commission, or other state, supranational or public body or to contact or make enquiries about a loan applicant.

Delivery Partners must provide us with a subset of the loan application information from every successful application i.e. approved loan, including: name of the borrower, any trading name, registered address or office, postcode, company registration number if relevant, type of business, loan amount, turnover, loan status, etc., which in the case of sole traders is likely to be Personal Data.

We share loan scheme data with DBT, its agents and auditors any of our affiliates, advisers, agents or contractors including professional advisers and consultants, auditors and advisers processing agents, fund managers, Delivery Partners and companies providing services to the Bank and its affiliates Government departments and Devolved Administrations (including but not limited to the National Audit Office, Office for National Statistics, HM Treasury and DBT) and other politicians or government members (i.e. ministers) relevant third parties for analytical and administrative purposes, to evaluate the effectiveness of the schemes and the potential costs and losses as well as data fraud analytics. (see Section 7.5 and 7.7).

Where required, details of the loan awarded (Recipient and loan amount, for example), will be shared with the European Commission and/ or the UK Government and published on the state aid transparency databases (see section 7.8 and 7.9).

Data subjects: sole traders, partnerships, business contacts, accredited lenders, loan recipients

 
10Investing in Women Code

BBB is committed to the Investing in Women Code and the Rose Review to support the advancement of female entrepreneurship.

BBB support the Code by hosting the online form that organisations use to apply to commit to the Code. The online form captures the personal data of the organisation’s representative who will act as a lead contact. The personal data includes the contact’s name, job title, email address and telephone number as well as the name and address of the organisation they represent.

The details submitted via the online form are given to DBT who administer the Code and their privacy notice is available at https://www.great.gov.uk/privacy-and-cookies/. DBT shares information with BBB and the Code’s take up to help analyse trends in lending and investments to women entrepreneurs, but the information is aggregated and does not identify any individuals.

Data subjects: business contacts, individual subscribers

Art. 6(1)(e) public task
11LIFTS

The Long-term Investment for Technology and Science (LIFTS) is a crowd-in initiative for institutional investors to science and technology companies.

Investors will express their interest and provide information about their institution / company including contact names, email addresses, etc. If an application goes to formal proposal, we will carry out Due Diligence as part of the ‘Applying to be a Delivery Partner process’ (see Section 1.6).

We will continue to process information throughout the relationship with the Investor.

Data subjects: prospective delivery partners, business contacts

Art. 6(1)(e) processing under public task

C. General Business Activities

No.PurposePersonal Data ProcessedLawful Basis
1Business Improvements

We may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes.

The Personal Data processed will vary according to the specific activity, but will always be the minimum necessary.

Data subjects: customers, loan recipients, investors, sole traders, partnerships, business contacts, accredited lenders, employees, suppliers

Art. 6(1)(c) legal obligation

Art. 6(1)(e) public task

2Business Management and Operations

We process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors and suppliers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions.

The Personal Data processed will vary according to the specific activity, but will be the minimum necessary.

Data subjects: customers, loan recipients, investors, sole traders, partnerships, business contacts, accredited lenders, employees, suppliers

Art. 6(1)(c) legal obligation

Art. 6(1)(e) public task

3Cookies and website

We collect details of your visits to our websites and the resources that you access (which may include, amongst other things; traffic data and communication data) for the purpose of improving our website performance, system administration and to evaluate use of our websites.

The British Business Bank website is the parent website, but we also have websites for

British Business Investments

British Patient Capital

The Start-Up Loans Company

The Finance Hub

Recruitment Portal

Future Fund

Northern Powerhouse Investment Fund

Midlands Engine Investment Fund

Cornwall and Isles of Scilly Investment Fund

We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policies.

Data subjects: web browsers

Art. 6(1)(a) consent for the cookies that are not strictly necessary
4Market Research

We may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality.

We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results.

On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation.

Data subjects: customers, loan recipients, investors, sole traders, partnerships, business contacts, accredited lenders, employees, suppliers

Art. 6(1)(f) legitimate interests
5Data Analysis / Visualisation

We analyse the data we hold to report on performance, forecast trends, and help inform our decision making.

The analysis will include personal data, for example when processing the data held about the loan and investment schemes and programmes, for example the names and registered addresses of sole traders, limited partnerships, fund managers, but also unique reference numbers such as company reference number that may allow persons associated with the company to be identified.

We also process special category data to help us understand the gender and ethnicity make up of our fund managers and delivery partners and improve our approach to Environmental, Social and Governance.

We aim to use the minimum personal data necessary in our analysis and, where possible, report aggregated data.

We also import data from Companies House and Office for National Statistics (ONS) for the purpose of enriching the information we have about the beneficiary companies supported through the various debt/equity and guarantee funds. This data includes Personal Aata in the form of sole trader names and registered addresses. The use of Companies House allows us to identify incorporation date and company status. The use of ONS data and beneficiary company postcode allows us to identify the corresponding Region, District, Constituency and Electoral ward which is then used to represent geospatial demographics.

Data subjects: loan recipients, investors, sole traders, partnerships, business contacts, accredited lenders

Art. 6(1)(e) public task

Processing diversity information under Art.9(2)(g) substantial public interest

6CCTV Cameras

We have CCTV cameras in the Sheffield and London office areas, primarily access points, such as the entrances and exits to the premises and in certain restricted areas.

The cameras process the images of individuals (no audio recordings).

Signs are displayed prominently around the sites to inform staff and visitors that CCTV cameras are in operation and who to contact for further information.

The cameras are in place for the personal safety of our staff and visitors to our sites, to assist in identifying, apprehending, and prosecuting any offenders on Company premises, to protect the Company’s buildings and assets and those of its staff from intrusion, theft, vandalism, damage, or disruption, and may also be used to assist in grievances, formal complaints and investigations, and for the defence of the Bank or its colleagues with regards to legal or insurance claims.

CCTV recordings are held for 30 days before being automatically overwritten.

Data subjects: employees, visitors

Art. 6(1)(f) legitimate interests

3. Automated decision making

3.1 We do not currently make any automated decisions about individuals. It is possible; however, an automated decision or profiling may occur with cookie and other similar technology that are enabled our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (see Section 11 for contact details).

4. How we safeguard personal data

4.1 We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.

4.2 We have controls in place to maintain the security of our information and information systems, which may include encryption, information classification, anonymisation, and pseudonymisation. Our files are protected with safeguards according to the sensitivity of the relevant information and access controls are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees.

4.3 BBB employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.

4.4 When you contact us about a matter, you may be asked for some Personal Data, to help us verify your identity and entitlement to the Personal Data we hold.

5. How long we keep personal data

5.1 We keep Personal Data for as long as necessary for the purpose for which it is processed. We typically keep information for a minimum of seven years from the last action (e.g. file closure, contract end, etc.), but in the case of State aid programmes (i.e. Covid-19 loan schemes, the Recovery Loan Scheme and the Growth Guarantee Scheme), information is expected to be kept for a minimum of 10 years.

6. Where we transfer personal data to

6.1 Personal data is predominantly stored in the UK or the European Union; however, where we process Personal Data elsewhere we shall ensure it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or appropriate safeguards (i.e. International Data Transfer Agreements).

7. Sharing personal data

7.1 We may share your Personal Data within the Bank and its subsidiaries for the purposes described above.

7.2 We may share your Personal Data with Government departments, public-sector bodies and other associated organisations for the purpose of programmes administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, DBT, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.

7.3 We may also share your Personal Data with our Delivery Partners for the purpose of delivering our programmes. Our website provides details of our programmes and key delivery partners.

7.4 We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to) HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.

7.5 We may also share Personal Data with law enforcement or other government officials to help prevent or detect crime or apprehend or prosecute offenders; when we believe disclosure is necessary to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues or stakeholders as required or permitted by law; to establish, exercise or defend our legal rights; or in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.

7.6 Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements. Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; debt collection etc. A list of our key contracted providers is available on Contracts Finder.

7.7 We will also share data from the Covid-19 loan schemes, the Recovery Loan Scheme, the Growth Guarantee Scheme and the Future Fund Scheme (and any other of our programmes, where appropriate to do so) with DBT, other government departments, law enforcement agencies, regulatory bodies and other relevant stakeholders for the prevention and detection of crime, in particular fraud, to investigate specific cases as well as to enable data analytics to attempt to discover possible or as yet undetected fraudulent or other criminal behaviour, patterns or trends against public authorities and public money (i.e. Section 56 of the Digital Economy Act 2017, Section 68 of the Serious Crime Act 2007).

7.8 Where legally required, we will share information relating to individual Covid-19, Recovery Loan Scheme and Growth Guarantee Scheme loans (which may include amongst other details the identity of the borrowers and size of loan) with the European Commission under the State aid Temporary Framework and the approval for the ‘Covid-19 Temporary Framework for UK Authorities’. The European Commission will make this information publicly available on its State aid transparency public search website. For each of the Bounce Back Loan Scheme, the Coronavirus Business Interruption Loan Scheme and the Coronavirus Large Business Interruption Loan Scheme, there is a requirement to report and publish information on individual aid exceeding €100,000, or exceeding €10,000 if the Borrower operates in the agriculture or fisheries sectors. Please note, the ‘aid amount’ includes the loan, the fees and interest payments the Government has paid on behalf of the borrower for the first 12 months of the loan.

7.9 Where legally required, we will also share information relating to individual Covid-19, Recovery Loan Scheme and Growth Guarantee Scheme loans (which may include amongst other details the identity of the borrowers and size of loan) on the UK’s public transparency database to enable compliance with the UK’s international subsidy reporting requirements with regards to the UK-EU Trade and Co-operation Agreement, World Trade Organization Agreement on Subsidies and Countervailing Measures and other Free Trade Agreements.

8. Marketing

8.1 We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:

  • If you are an existing customer or have taken steps to become a customer by using our websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
  • If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.

8.2 We do not buy or sell Personal Data for marketing purposes.

8.3 We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.

8.4 If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.

9. Confidential information

9.1 We are a public body and subject to the Freedom of Information Act 2000 (FOIA). The FOIA provides people the right to request access to recorded information and we are obliged to disclose the information unless an FOIA exemption applies. Section 40 of the FOIA provides an exemption to the disclosure of personal data and, although it is not absolute, the exemption applies where the disclosure would contravene data protection.

10. Data Protection Rights

10.1 Data protection provides rights to data subjects; these rights are listed below and you can exercise them by contacting us using the details in Section 11.

TermMeaning
ConsentIf we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time and expect us to carry out your wishes promptly.
The right of accessThe right to request access to the Personal Data we hold about you, subject to exceptions.
The right to objectWhere you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so.
The right of data portabilityIn some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.
The right to rectificationIn some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.
The right to erasureThe right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it.
The right to restrict processingThe right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request.
Automated decision making and profilingThe right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters. The right to object to profiling in certain situations, for example direct marketing.

10.2. Data protection rights are not always absolute and where we cannot fulfil the request, we will explain why. For general information about data rights, see the Information Commissioner’s website.

11. Contacting Us

11.1 If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at DataProtection@british-business-bank.co.uk or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.

11.2 If, after speaking to us regarding any of the ways we use your Personal Data, you wish to make a complaint, you can do so by contacting the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or see their website for alternative contact details.