Privacy

Your information will be held by TSB Bank plc ('TSB'), under the trading name Whistletree (“Whistletree”). Any reference to "we" or "us" is to TSB. You can contact us by writing to: Data Privacy, Whistletree, PO Box 116, Skipton BD23 9FF. Alternatively, you can write to: Whistletree Data Protection Officer, TSB Bank plc, 8 Bishopsgate, London, EC2N 4BQ.

Please read this Privacy Notice to understand how we use and protect the information that you provide to us.

Your information

Whistletree is committed to providing local banking for Britain. And we want you to have trust and confidence in the way we deal with your information.

The UK is a world leader in data protection and privacy. To comply with UK laws, we have to manage your personal information fairly, lawfully and transparently. This means you’ll know how we use your information and we’ll tell you about your rights.

All our employees are responsible for maintaining customer confidentiality. We provide training and education to all employees and we regularly review our policies and procedures. Our aim is to make sure that you have confidence in TSB and feel comfortable about giving us your information. We think that safely looking after your information is a key part of our relationship.

We have a dedicated team that looks after data privacy rights. We also have a Data Protection Officer (‘DPO’) to guide the business and oversee our use of your information. If you want to contact us about data privacy or how we manage your information, please write to: Data Privacy, Whistletree, PO Box 116, Skipton BD23 9FF.

Why and how we manage your information

When you apply for a product or service, and throughout our relationship, you’ll provide personal information to us. We’ll also collect certain information about you from others.

Providing our products and services.

When you apply for a product or service, and throughout our relationship, you’ll provide personal information to us. We’ll also collect certain information about you from others.

Whose data will we receive?

What type of data will we receive?

Who will send us data?

All Whistletree customers.

Data confirming your identity.

Data relating to credit history and status of you or any associated person.

Data relating to any fraudulent activity or suspected fraudulent activity concerning you or any associated person.

Data relating to Politically Exposed Persons (PEPs).

Credit Reference and Fraud Agencies. See more information below.

CIFAS, a not-for-profit fraud prevention membership organisation.

For more information on CIFAS go to www.cifas.org or write to:

Consumer Affairs,
CIFAS
6th floor
Lynton House
7–12 Tavistock Square
London WC1H 9LT

Mortgage customers

Name, address, property details, financial details

Your mortgage advisor

Joint account holders

Where one person opens a joint account, they’ll provide us with the name and address of the joint account holder, who will also become a Whistletree customer.

The person who opens the account, or adds the joint account holder to an existing account.

Company directors, significant shareholders, business partners, etc

For business accounts, we’ll receive personal data relating to all people who own, or have a controlling interest, in the business account.

The individual who opens the account, or who notifies us of additional people associated with the business or account.

Guarantors, deposit providers, and similar

If a person guarantees to pay Whistletree any sums that a customer may owe, or provides a deposit (for example when a Whistletree customer takes out a mortgage) we’ll record enough details to let us contact them if/when needed. Where they provide the deposit from their bank account, we’ll record the account details.

The Whistletree customer.

Property vendors, employers and others who interact with Whistletree customers.

If a person takes out a Whistletree mortgage to purchase a property they will, in most cases, give Whistletree the vendor’s name and address. Where another person pays the mortgage deposit, Whistletree will note the name, address and account details of the person paying the deposit. In some circumstances, Whistletree customers provide us with their employer’s details, such as name, address and payroll number.

The Whistletree mortgage holder.

Providers of professional services.

Business/trading name, address, contact details, internal reference, membership of professional bodies, levels of insurance (if any), identity of client and other information provided to us in the course of delivering the professional services in question.

Whistletree customer, the person or organisation you are providing professional services to, professional bodies and public sources.

We use this personal information to do all the things you expect from us. And to meet our obligations to you under our Terms and Conditions. This includes:

  • Recording money in and out of your accounts
  • Providing you with products and services
  • Telling you about important changes or developments to the features and operation of these products and services
  • Responding to your enquiries and complaints
  • Carrying out financial reviews
  • Administering offers, competitions and promotions
  • Updating, consolidating and improving the accuracy of our records
  • Managing your relationship with us
  • Arrears and debt recovery activities
  • Crime detection, prevention and prosecution

We won’t be able to maintain an account or service if you fail to provide certain information.

Why we use your information

We use your information so we can deliver the banking service and products that Britain wants in the 21st century. This includes using your information so we can:

Determine your eligibility.

Like all banks, we use automated processes to carry out financial reviews and make faster decisions (for example determining your eligibility for an account or service). But we want to make sure this works for you and us.

We’ll use automated processes to help decide the appropriate amount of credit that we should provide, and to carry out credit and fraud prevention checks. Due to the sheer amount of information involved and the volume of applications, routine human involvement is impractical or impossible. So, to allow us to provide banking services, we need to do this work in an automated way. Some fraud checks that we carry out are necessary to meet our legal obligations.

Based on the information you provide us, we’ll compare this against different metrics to determine whether you meet the eligibility criteria for an account. Or to determine whether you’ll be able to make repayments on a product.

We work hard to make sure we make the right decision. Sometimes this means saying no to offering you an account or product. In making these decisions, we’ll pass information to, and receive information from, Credit Reference Agencies.

If we make an automated decision on something important to you, we’ll always allow you to contest the decision, give your views and make sure there’s proper human involvement. If you want to exercise this right, please contact our Data Rights Team using the contact details at the top of this Notice. Where possible you should provide any additional relevant information you’d like us to consider. The logic and outcomes of this decision-making are tested regularly to make sure they’re fair, effective and unbiased.

Improve our performance.

We’ll use your information to make sure we give you and other customers the best possible service.

This includes testing new systems, checking upgrades to existing systems, training, undertaking transactional analysis, conducting audits and assessing lending and insurance risks. It also involves customer modelling, statistical and trend analysis aimed at developing and improving products and services, as well as providing information to Regulators. We do this to meet our legitimate interests in providing better services to our customers and making sure your information is appropriately protected.

Send Direct Marketing and Promotional Material.

Occasionally we’ll offer you an opportunity to receive direct marketing and promotional information. We value our relationship, so we do our best to only send you information we think may be of interest to you personally. We’ll do this by post, email, phone or SMS. But we’ll only send direct marketing to TSB customers in this way if you’ve consented to receive it. And don’t worry. You can withdraw your consent at any time.

We take great care to make sure that information you receive from TSB Bank is likely to be of interest to you. We do this by comparing our range of products and services with what we know about your needs and interests. Whereas we will only send marketing to you if you have consented to this, the work we do to make sure any marketing is likely to be of interest to you personally to meet our legitimate interests in sending marketing material about products you might be interested in. You can tell us to stop doing this at any time by contacting our Data Rights Team, by clicking ‘unsubscribe’ in any marketing email we send you or by following the instructions in our marketing SMS’.

When you log in to other secure websites, you may also see TSB advertisements we think may interest you. You can object to this by contacting our Data Rights Team. This means you’ll experience more general webpages. You won’t see fewer advertisements, and the pages and ads may be less relevant to you.

Make the most of social media.

If you interact with TSB through social media we may use your information to help us communicate.

To deliver the best customer experience, we partner with software providers that allow us to connect with you via online communities and blogs. These partners manage personal information only in accordance with our instructions. TSB can also require these partners to delete your information, or return it securely to TSB, at the end of our contract with them.

Do what you ask us to do.

If you request services from us, or ask a question, we’ll use your personal information to respond. This is to make sure we can provide the best possible service.

Comply with legal obligations.

This might include providing information to HMRC, preventing fraud, money laundering and doing what our Regulators require. We only do this where strictly necessary to comply with these legal obligations.

Deliver better banking for Britain.

This includes using personal information to make sure we:

  • Manage and develop customer relations
  • Assess the suitability of existing and proposed products for our customers
  • Pass information to Credit Reference Agencies (as described below)
  • Conduct internal or external reviews of our performance and quality
  • Instruct our internal or external legal teams
  • Detect and prevent fraud and liaise with police and other anti-fraud agencies
  • Engage with and interact on social media
  • Make sure we manage TSB as effectively and efficiently as possible

We use your personal information in this way as it’s in our business interests. It also allows us to defend our rights, provide a better service to our customers and understand what our customers want from us. Whenever we use your personal information, we’ll always make sure we work to protect your interests and rights. We won’t use your personal information for any purpose incompatible with those set out above. We’ll keep your data appropriately secure, and let you know if we use it for a new purpose.

Occasionally we’ll ask for your specific consent to use your personal information. This might be when we want to record sensitive information, such as details about your health or ethnicity. Asking for your consent gives you control over how this information is used. You can withdraw this consent at any time.

Passing your information to others

We treat your personal information as private and confidential. In some instances, we may disclose it outside TSB for the purposes set out above (including sharing information with partners who help us provide services). This may include sharing it with subcontractors. They’ll act solely on our instructions or behalf and will only use your information for the purposes set out above.

We’ll disclose information to others to meet our contractual obligations to you in accordance with the Terms and Conditions, including where:

  • Your information relates to a joint account, where the other account holder(s) may be entitled to see your transactions
  • It's needed by other parties connected with your account (including guarantors)
  • We need to share information with other lenders who also hold a charge on your property

We’ll also disclose information where strictly necessary to comply with our legal obligations, including where:

  • HMRC or other authorities require it
  • The law, a regulatory body or the public interest requires it
  • It's required as part of our duty to protect your accounts
  • It's required by us or others to detect, investigate or prevent crime or fraud

Information can also be made available where you consent or ask us to. If you give your consent, you can withdraw it at any time and we’ll stop disclosing the information in that way.

Credit Reference Agencies.

In order to process your application for a product or service, we’ll perform credit and identity checks on you with one or more credit reference agencies (‘CRAs’). If you use our banking services we may also make periodic searches at CRAs to help manage your account.

To do this, we’ll supply your personal information to CRAs and they’ll give us information about you. This will include information from your credit application and about your financial situation and history. CRAs will supply us with public data (including the electoral register) as well as shared credit, financial situation, financial history and fraud prevention information.

We’ll use this information to:

  • Assess your creditworthiness and whether you can afford to take out a product
  • Verify the accuracy of the data you’ve provided
  • Prevent criminal activity, fraud and money laundering
  • Manage your account(s)
  • Trace and recover debts
  • Make sure any offers provided to you are appropriate to your circumstances

We’ll continue to exchange information about you with CRAs while you have a relationship with us. We’ll also inform them about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they’ll place a search footprint on your credit file that may be seen by other lenders.

If you’re making a joint application, or tell us that you have a spouse or financial associate, we’ll link your records together. So make sure you discuss and share this information with them before providing the details to us. CRAs will also link your records together. These links will remain on both your files until you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with CRAs are explained in detail at www.experian.co.uk/crain. CRAIN is also accessible from each of the CRAs that TSB uses — visiting any of these links will take you to the same CRAIN document:

Callcredit www.callcredit.co.uk/crain
Equifax www.equifax.co.uk/crain
Experian www.experian.co.uk/crain

Fraud Prevention Agencies.

To make sure we help in the international fight against terrorism, money laundering, modern slavery and other criminal activities, the government requires us to screen applications made to us. As a result, we will disclose information to fraud prevention agencies and to government bodies. If we think there is a risk of fraud, we may block access or stop activity on an account. We will study patterns of activity, check for unusual transactions and monitor devices used to assess TSB’s systems, including Internet Protocol (IP) addresses.

Transferring your information outside of the UK

The UK and other EEA countries provide a high standard of data protection and privacy. However, we may run your accounts and provide other services from centres outside the UK and EEA that do not have a similar standard of data protection laws. If so, we’ll require your personal information to be protected to at least UK standards. So we only transfer personal information to:

  • Countries that have been confirmed as protecting personal information to UK and EU standards
  • Companies in the USA certified as providing an adequate level of protection

In other instances, we’ll put contractual commitments in place which make sure personal information is protected to UK and EU standards.

If you want to learn more about the specific countries to which we transfer personal data, or need a copy of the safeguards we have in place for particular countries, contact the Data Rights Team.

We may process payments through other financial institutions, such as banks and the worldwide payments system operated by the SWIFT organisation. For instance, this can happen if you make a CHAPS or foreign payment. These external organisations may process and store your personal information abroad and may have to disclose it to foreign authorities to help them in their fight against crime and terrorism. If these are based outside the UK and EEA, your personal information may not be protected to standards similar to those in the UK. However, we’ll take steps, including using contractual commitments, to make sure that an adequate level of protection is provided.

How long we will keep your information

We’ll keep your information for as long as your account or product application takes. And for as long as you have accounts or products with us. We’ll also keep your personal information for a certain period after your application has ended or you’ve closed your accounts.

When determining how long this period will last, we take into account our legal obligations, the expectations of financial and data protection regulators, and the amount of time we may strictly need to hold your personal information to carry on our business or defend our rights. For example, if you have a Whistletree mortgage, we’ll keep your information and account details while the account is open. To meet our legal and regulatory requirements, we must keep much of this information for a number of years after the account is closed — even if you do not have another account with us.

We’ll also need to keep your information in archived form in order to defend our legal rights. This may be for the period during which legal claims can be made under applicable law. In the UK, this is six years for contractual claims. We have policies and procedures in place to make sure that we delete information no longer needed for any of these purposes.

Your rights

You have certain rights over your personal information. These include the right to access a copy of your personal information, or have some elements of it transmitted to you or another company in a common electronic format. In certain circumstances you can have your personal information corrected or erased, or you can restrict our use of it. You also have the right to object to the way we use your personal information as described above.

We generally won’t charge you to exercise these rights. You have the following rights:

Access

You have a right to ask TSB if we have your personal information. If we do, you have a right to know:

  • Why we have it
  • What type of information we possess
  • Whether we have or will send it to others, especially outside the European Economic Area (view a list of EEA countries)
  • How long we will keep it
  • Where we got it from
  • Details of any automated decision-making.

If you want, you can ask for a copy of your information please write to:
DSAR Unit
Whistletree
PO Box 116
Skipton
BD23 9FF

Rectification

Where any of your information is incorrect, you have a right to tell us to correct it promptly. Please tell us as quickly as possible if you change your address or other contact details. If your information is incomplete, you can ask us to correct this too.

In certain circumstances, you’ll have the following extra rights:

Right to object

Depending on the legal basis for which we are using your information, you may be entitled to object. For example, where we’re using your information connected with marketing, we will stop if you object. However, if we’re using your information to meet certain legal obligations, we may continue to do so even if you object.

Erasure (right to be forgotten)

You may have a right to have some or all of the information we hold about you deleted. However, you should be aware that, as a bank, we are required to retain many records even after you close your account.

Portability

In certain circumstances you would be entitled to receive some of your information from us. We can either pass the information to you, or to another person or business if you want.

Rectification

You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold on you is incorrect.

Automated decision-making

We’ll use automated systems to make decisions about whether you’re eligible for a particular product or service, and to carry out credit and fraud prevention checks. Based on the information you give us, we’ll compare this against different metrics to determine whether you meet the eligibility criteria, or to work out whether you’ll be able to make repayments on a product.

We work hard to make the right decision. Sometimes this means saying no to offering you a product. If we make an automated decision on something important to you, we’ll always allow you to contest the decision, give your views and make sure there’s proper human involvement. The logic and outcomes of this decision-making are tested regularly to make sure they’re fair, effective and unbiased.

Consent

If you consent to us using your information, you have the right to withdraw that consent at any time.

You can exercise these rights by contacting:

Data Rights Team
Whistletree
PO Box 116
Skipton
BD23 9FF 

We aim to work with you on any request, complaint or question you have about your personal information. However, if you believe we have not adequately resolved a matter, you have the right to complain to the Information Commissioner’s Officer (the ‘ICO’). You have a right, at any time, to complain to the ICO. As an independent UK authority, it upholds information rights in the public interest, promotes openness by public bodies and data privacy for individuals. You can visit their website at https://ico.org.uk or ask for details from our Data Rights Team.

Cookies

In general, you can visit our website without identifying who you are or revealing any information about yourself. However, cookies are used to store small amounts of information on your computer, which allows certain information from your web browser to be collected. Cookies are widely used on the internet and do not identify the individual using the computer, just the computer being used. Cookies and other similar technology make it easier for you to log on to and use our websites during future visits.

For further information please call 0330 159 6612, 8.30am – 6pm Monday to Friday.