PLEASE NOTE: Due to the current situation with the Coronavirus (COVID-19) pandemic, the Information Commissioner’s Office (ICO) has announced that its offices are closed for the foreseeable future, and won’t be receiving any correspondences by post.


If you’d like to get in touch or make a complaint to the ICO, please call 03031 231113 or visit ico.org.uk/global/contact-us for more information.


How do you define ‘personal data’?

Personal data is any information that can be used to directly or indirectly identify you as a person. A few of the main examples include name, address and account number.  Information about companies or public authorities isn’t considered  personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they’re individually identifiable, and where the information relates to them as an individual is personal data. 

What are the ‘special categories’ of personal data?

Special category data is personal data that’s considered more sensitive, and therefore requires additional protection.
For example, special category data may include information about an individual’s: 
  • Race
  • Ethnic origin
  • Politics
  • Religion or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation

What does ‘processing personal data’ mean?

Processing is a broad term that covers activities such as collecting, recording, storing, using, analysing, combining, disclosing or deleting data.

What types of personal data do you process?

We process data we obtain from a number of sources: 

  • Information you give us by filling in forms or by corresponding with us (in branch or by email, post and telephone)
  • Information we collect about you when you use our banking services such as technical information e.g., IP address and any other information that is collected about your visit to the site and the way you use your account(s)
  • Information we receive from other sources such as credit reference agencies

Why do you need to process my data?

We process your data to provide products and services to you, to continuously improve our offering, and to ensure we comply with own regulatory and legal obligations.

Where’s my personal data held and do you transfer my data outside of the UK?

All information that you provide us with is stored on our secure servers. Please note that all of our customer databases are held in the UK (inside the European Economic Area (EEA)).

The data we collect may also be transferred and stored at a destination outside the EEA. In particular, we have an operations centre in India, and we engage third parties that may process personal data outside of the EEA. Your personal data may also be processed by staff operating outside the EEA that either work for us or for one of our suppliers. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services.

When we send personal data overseas, we’ll make sure suitable safeguards are in place in accordance with UK/European data protection requirements.

How do you keep my data secure?

We use appropriate technical and organisational measures to protect the information we collect and process about you and our online banking services are provided using secure servers.

In particular when you access our online banking services, we use Secure Sockets Layer (SSL) software to encrypt both the information you transmit and what we return to you. We do this to protect your security.

We regularly review our systems and processes to ensure our online banking services are provided using secure servers; however, no Internet transmission can ever be guaranteed 100% secure. We recommend that you install, use and maintain up-to-date anti-virus, firewall and anti-spyware on your devices. Further advice on the use of email and other aspects of online safety can be found through publicly available resources such as getsafeonline.org

How do I make a Data Subject Access Request (DSAR) and is there a fee?

You can make a DSAR by emailing, calling or writing to us. You can also contact the Data Protection team by emailing dataprotection@osb.co.uk. Please let us know if there’s a specific document you require, as this will reduce the time it takes for us to send it to you.

We do not usually charge a fee for the first DSAR but we may charge a reasonable fee to cover our administrative costs if the request is excessive or if you request further copies of documents already provided to you.

How long does a Data Subject Access Request (DSAR) take to process?

We’ll usually provide you with the data within one month of your request. If we think it’ll take longer, we’ll let you know as soon as possible.   

Can I request that you delete my personal data?

If you have an existing account, then we’re unable to delete the information we hold. We need this data to provide services to you and fulfil our legal and contractual obligations. However, you have other rights in respect of the data we hold, including a right of access and to rectify inaccurate data. Please see the below table for details.

If you recently closed your account, please see below.

I’ve just closed my account. How long do you hold my personal data after my account is closed?

We have standard retention periods for various types of information, and generally keep data for six years after the end of the customer relationship. We have a legitimate interest in retaining information beyond the closure of an account so that we can respond to any queries, complaints or claims that may arise.

We cannot normally erase your data within the retention period. However, please be assured that this information is stored in our secure internal systems and isn’t shared or used for any other purposes.

Do you have a Data Protection Officer?

Yes, we have appointed a Data Protection Officer. Please find their contact details below. 
Group Data Protection Officer
OneSavings Bank
SR43 4AB
Alternatively, you can email dataprotection@osb.co.uk

What’s a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Do you have processes in place to detect, investigate and report data breaches?

Yes, we have comprehensive internal controls to detect, investigate and report potential data breaches. As well as internal detecting and reporting procedures, we have put in place contractual obligations on our suppliers who process customer personal data on our behalf.

Where can I find out more information on how my personal data is processed?

If you’d like to understand more about how we process your personal data, please visit our privacy policies at kentreliance.co.uk/legal/privacy-policy

How can I contact the data protection team?

You can contact the data protection team by emailing dataprotection@osb.co.uk

How do I contact the ICO?

If you’ve got any concerns regarding our processing of your personal data, or aren’t satisfied with our handling of any request by you in relation to your rights, you can make a complaint to the Information Commissioner’s Office.

Their address is:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane

What other rights do I have in relation to my data?

The GDPR provides the following rights for individuals: 


Description of right

1.The right to be informed

A right to be informed about how we collect and use your personal data.

2. The right of access

A right to access personal data held by us about you.

3. The right to rectification

A right to require us to rectify any inaccurate personal data held by us about you.

4. The right to erasure

A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we’re using your personal data based on your consent; or where you object to the way we process your data (in line with Right 7 below).

5. The right to restrict processing

In certain circumstances, a right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you’d have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims.

6. The right to data portability

In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.

7. The right to object

A right to object to our processing of personal data held by us about you in certain circumstances (including where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party). You also have the right to withdraw your consent where we are relying on it to use your personal data; or ask us to stop processing your data for direct marketing purposes.

8. Rights in relation to automated decision making and profiling

A right not to be subject to a decision based solely on automated processing (without any human involvement), including profiling, in certain circumstances. Please note that we don’t currently undertake automated decision-making within the scope of this right.