Branch FAQs - Data Protection FAQs

Data Protection FAQs

How do you define ‘personal data’? What are the ‘special categories’ of personal data? What does ‘processing personal data’ mean? What types of personal data do you process? Why do you need to process my data? Where’s my personal data held and do you transfer my data outside of the UK? How do you keep my data secure? How do I make a Data Subject Access Request (DSAR) and is there a fee? How long does a Data Subject Access Request (DSAR) take to process? Can I request that you delete my personal data? I’ve just closed my account. How long do you hold my personal data after my account is closed? Do you have a Data Protection Officer? What’s a personal data breach? Do you have processes in place to detect, investigate and report data breaches? Where can I find out more information on how my personal data is processed? How can I contact the data protection team? How do I contact the ICO? What other rights do I have in relation to my data?

How do you define ‘personal data’?

Personal data is any information that can be used to directly or indirectly identify you as a person. A few of the main examples include name, address and account number. Information about companies or public authorities isn’t considered personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they’re individually identifiable, and where the information relates to them as an individual is personal data.

What are the ‘special categories’ of personal data?

Special category data is personal data that’s considered more sensitive, and therefore requires additional protection.

For example, special category data may include information about an individual’s:

Race
Ethnic origin
Politics
Religion or philosophical beliefs
Trade union membership
Genetics
Biometrics (where used for ID purposes)
Health
Sex life
Sexual orientation

What does ‘processing personal data’ mean?

Processing is a broad term that covers activities such as collecting, recording, storing, using, analysing, combining, disclosing or deleting data.

What types of personal data do you process?

We process data we obtain from a number of sources:

Information you give us by filling in forms or by corresponding with us (in branch or by email, post and telephone)
Information we collect about you when you use our banking services such as technical information e.g., IP address and any other information that is collected about your visit to the site and the way you use your account(s)
Information we receive from other sources such as credit reference agencies

Why do you need to process my data?

We process your data to provide products and services to you, to continuously improve our offering, and to ensure we comply with own regulatory and legal obligations.

Where’s my personal data held and do you transfer my data outside of the UK?

All information that you provide us with is stored on our secure servers. Please note that all of our customer databases are held in the UK (inside the European Economic Area (EEA)).

The data we collect may also be transferred and stored at a destination outside the EEA. In particular, we have an operations centre in India, and we engage third parties that may process personal data outside of the EEA. Your personal data may also be processed by staff operating outside the EEA that either work for us or for one of our suppliers. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services.

When we send personal data overseas, we’ll make sure suitable safeguards are in place in accordance with UK/European data protection requirements.

How do you keep my data secure?

We use appropriate technical and organisational measures to protect the information we collect and process about you and our online banking services are provided using secure servers.

In particular when you access our online banking services, we use Secure Sockets Layer (SSL) software to encrypt both the information you transmit and what we return to you. We do this to protect your security.

We regularly review our systems and processes to ensure our online banking services are provided using secure servers; however, no Internet transmission can ever be guaranteed 100% secure. We recommend that you install, use and maintain up-to-date anti-virus, firewall and anti-spyware on your devices. Further advice on the use of email and other aspects of online safety can be found through publicly available resources such as getsafeonline.org

How do I make a Data Subject Access Request (DSAR) and is there a fee?

You can make a DSAR by emailing, calling or writing to us. You can also contact the Data Protection team by emailing dataprotection@osb.co.uk. Please let us know if there’s a specific document you require, as this will reduce the time it takes for us to send it to you.

We do not usually charge a fee for the first DSAR but we may charge a reasonable fee to cover our administrative costs if the request is excessive or if you request further copies of documents already provided to you.

How long does a Data Subject Access Request (DSAR) take to process?

We’ll usually provide you with the data within one month of your request. If we think it’ll take longer, we’ll let you know as soon as possible.

Can I request that you delete my personal data?

If you have an existing account, then we’re unable to delete the information we hold. We need this data to provide services to you and fulfil our legal and contractual obligations. However, you have other rights in respect of the data we hold, including a right of access and to rectify inaccurate data. Please see the below table for details.

If you recently closed your account, please see below.

I’ve just closed my account. How long do you hold my personal data after my account is closed?

We have standard retention periods for various types of information, and generally keep data for six years after the end of the customer relationship. We have a legitimate interest in retaining information beyond the closure of an account so that we can respond to any queries, complaints or claims that may arise.

We cannot normally erase your data within the retention period. However, please be assured that this information is stored in our secure internal systems and isn’t shared or used for any other purposes.

Do you have a Data Protection Officer?

Yes, we have appointed a Data Protection Officer. Please find their contact details below.

Group Data Protection Officer

OneSavings Bank Plc

Reliance House

Sun Pier

Chatham

Kent

ME4 4ET

Alternatively, you can email dataprotection@osb.co.uk

What’s a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Do you have processes in place to detect, investigate and report data breaches?

Yes, we have comprehensive internal controls to detect, investigate and report potential data breaches. As well as internal detecting and reporting procedures, we have put in place contractual obligations on our suppliers who process customer personal data on our behalf.

Where can I find out more information on how my personal data is processed?

If you’d like to understand more about how we process your personal data, please visit our privacy policies at kentreliance.co.uk/legal/privacy-policy

How can I contact the data protection team?

You can contact the data protection team by emailing dataprotection@osb.co.uk

How do I contact the ICO?

If you’ve got any concerns regarding our processing of your personal data, or aren’t satisfied with our handling of any request by you in relation to your rights, you can make a complaint to the Information Commissioner’s Office.

Their address is:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

What other rights do I have in relation to my data?

The GDPR provides the following rights for individuals:

Rights	Description of right
1.The right to be informed	A right to be informed about how we collect and use your personal data.
2. The right of access	A right to access personal data held by us about you.
3. The right to rectification	A right to require us to rectify any inaccurate personal data held by us about you.
4. The right to erasure	A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we’re using your personal data based on your consent; or where you object to the way we process your data (in line with Right 7 below).
5. The right to restrict processing	In certain circumstances, a right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you’d have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims.
6. The right to data portability	In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
7. The right to object	A right to object to our processing of personal data held by us about you in certain circumstances (including where the processing is necessary for the purposes of the legitimate interests pursued by us or a third party). You also have the right to withdraw your consent where we are relying on it to use your personal data; or ask us to stop processing your data for direct marketing purposes.
8. Rights in relation to automated decision making and profiling	A right not to be subject to a decision based solely on automated processing (without any human involvement), including profiling, in certain circumstances. Please note that we don’t currently undertake automated decision-making within the scope of this right.

Products

Help & Support

Frequently asked questions

Download forms

Data Protection FAQs

Useful Links

Get in touch

© OneSavings Bank plc 2020.

AER stands for Annual Equivalent Rate and illustrates what the interest rate would be if interest was paid and compounded once each year. As every advertisement for a savings product will contain an AER you will be able to compare more easily what return you can expect from your savings over time.

krbs, Kent Reliance Banking Services and Kent Reliance are trading names of OneSavings Bank plc. Registered in England and Wales (company number 7312896). Registered office: Reliance House, Sun Pier, Chatham, Kent, ME4 4ET. OneSavings Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (registered number 530504). We subscribe to the Financial Services Compensation Scheme and the Financial Ombudsman Service. Visit the Money Advice Service