Our Privacy Policy
This privacy notice explains
- Who we are
- How we collect, share and use your personal information
- How you can exercise your privacy rights.
Personal information is any information that can be used to identify you as a unique individual.
Yorkshire Building Society (YBS) includes the trading names under which we operate (Chelsea Building Society, the Chelsea, Norwich and Peterborough Building Society, N&P and Egg) and its subsidiary companies. Any references to ‘us’, ‘our’ and ‘we’ means ‘YBS’.
YBS is the data controller and means we decide how and why your personal information is handled.
EU representative
To comply with the General Data Protection Regulation (2016/679), if you are in the European Union, we have appointed a European representative.
If you wish to contact them, their details are:
Bird & Bird GDPR Representative Services SRL
Avenue Louise 235
1050 Bruxelles
Belgium
EUrepresentative.YBS@twobirds.com
Personal information we collect from you
We collect your personal information when:
- You apply for a job or role with us either directly or through a third party acting on your behalf (i.e.
recruitment agency)
- You attend a job fair and speak to us
- You complete any surveys run by us
- We update your information online, in branch or over the phone (such as when you change your address)
- You speak to us on the phone (we may record some calls for training and quality purposes)
- You use our websites, online web chat services and any digital or mobile app we may offer now or in the future
- You send us in letters, emails or other documents such as your CV
- We use information that you’ve made public, such as social media content or when you interact with our
social media profiles.
The types of personal information we collect from you are:
- Identity details which includes your title and full name
- Contact details which includes your home address, email address and phone number
- Financial data which includes your bank account details and credit checks
- Profile data which includes your citizenship status, sex, CV, education history, salary information,
emergency contact details, employment status and employment history, social media accounts
- Identification documents which includes your driving licence, passport, National Insurance number and
other national identifiers
- Technical data which includes internet protocol (IP) address, location data, operating system, time zone
etc.
We also collect special categories of personal data which include:
- Health data which includes any physical disability, mental disability or any medical condition
- Criminal data which includes information about criminal convictions and offences, allegations (proven
or unproven) and investigations, penalties and restrictions, County Courts Judgements and insolvency
details as well as information relating to the absence of convictions - Sensitive data which includes information about your race or national or ethnic origin, religion or beliefs,
sexual orientation
It is important that the personal information we hold about you is accurate and up to date.
Please keep us informed of any changes to your personal information, such as change of contact details etc.
Personal information we collect from others
As part of our relationship with you, we collect or receive personal information about you from certain third parties to help us make decisions and onboard you including:
- Current and former employers (e.g. refer a friend scheme)
- Referees
- Your nominated representatives
- Local authorities (electoral roll)
- The Insolvency Service
- Courts and tribunal service
- Credit reference agencies
- HM Revenue & Customs and other tax authorities
- Fraud prevention agencies
- Job Train
- Recruitment agencies
- Online job boards
- Credit reference agencies.
If someone acting on your behalf provides this information, we’ll record what’s been provided and who gave it to us.
How we use your personal information
Purpose/Activity | Types of personal information | Legal Basis |
Managing your application for a job or role with us | - Identity data - Contact data - Profile data | Our legitimate interest |
Communicating with you via our various channels | - Identity data | Our legitimate interests |
Onboarding checks to enter into an employment | - Identity data | Necessary for the
performance |
Meeting our legal and regulatory obligations | - Identity data | Legal obligation |
Conducting surveys to understand your experience | - Identity data | Our legitimate interest |
Preventing and detecting fraud | - Identity data | Our legitimate interest Legal obligation |
Whistleblowing processing | - Identity data | Legal obligation |
Testing our systems and processes | - Identity data | Our legitimate interest |
To develop and improve our processes, | - Identity data | Our legitimate interest |
Capturing CCTV images and recording in our branches | - Identity data | Our legitimate interest |
To administer and protect our business and website | - Identity data
- Contact data | Our legitimate interest |
Where we are processing your personal information for our legitimate business interests, you may object to us doing that. We also collect special categories of data for the following purposes:
Purpose/Activity | Special category of
personal | Legal basis | Additional legal basis |
Anti-money laundering management | - Criminal data | Legal obligation | Substantial public interest (suspicion of terrorist financing or money laundering) |
Preventing and detecting fraud | - Criminal data | Our legitimate interest | Substantial public interest (preventing fraud) |
To assess your suitability for certain roles | - Criminal data
| Legal obligation | Employment, social security, and social protection law |
To consider whether we need to provide appropriate adjustments during the recruitment process | - Health data | Consent provided by the individual | Explicit consent |
To ensure meaningful equal
opportunity | - Sensitive data | Consent provided by the individual | Employment, social security, and social protection law |
We’ll only ask for this type of personal information when we absolutely need to and use it in limited circumstances.
Sharing your personal information
When necessary, we share your personal information with:
- Service providers
- Tax, government, and any relevant regulatory authorities
- Prosecuting authorities and courts, and/or other relevant third parties connected with legal proceedings or claims
- Fraud prevention and/or law enforcement agencies
- Industry databases such as CIFAS (you can learn more about how your personal information is used for
CIFAS’ National Fraud Database here at Fair Processing Notices for Cifas)
- Third parties where you have asked us to share your information
- Third parties where it’s necessary to enter into or for the performance of a contract
- Third parties where we are required to do so by law
- Credit reference agencies are used to perform credit, identity and fraud prevention checks against
public (electoral register) and shared credit information (You can learn more about how your personal
information is used here: Credit Reference Agency Information Notice (CRAIN) | Equifax UK).
All companies we work with are assessed for adequacy of their security controls, so we aim to ensure that your personal data is safe.
You can find more details on the organisations we may share your data with here.
Transfer of your personal information outside the United Kingdom
Your personal information may be transferred or stored in locations outside of the UK. We will only transfer your data when:
- We’re required or permitted to by law or regulatory requirements
- We’re sharing data with a third party to support us in the management of your account.
When transferring data, we make sure that suitable protection is always maintained by ensuring appropriate
safeguards are in place. This could be by:
- Ensuring that we transfer personal data to countries that the Information Commissioner (ICO) has
deemed to provide an adequate level of protection
- Putting suitable clauses in our contracts so that organisations take appropriate steps to give personal
data the same protection it has in the UK
If you would like more information on this, please feel free to contact us by using the details provided in this notice.
Keeping your personal information
We keep personal information for as long as it is required by us:
- For the purposes described in ‘How We Use Personal Information’ section above
- To meet our legal or regulatory obligations
- For the exercise and/or defence of any legal claims.
If you’re application is successful and you become a YBS employee, your information will form part of your employee record and will be kept in line with our data retention schedules.
If your job application is unsuccessful, we’ll keep the information we have collected for 12 months from the point at which your candidate profile is last updated. After this period, you’ll have the option of reactivating your account for another 12 months or having your information deleted.
If you would like more information on this, please feel free to contact us by using the details provided in this notice.
Profiling
We do not engage in any profiling activities with your personal information.
Automated decision making
There may be circumstances where we use automated decision making using your personal information.
We may use automated decision making to check that you meet the requirements for the role, and also carry out our legal and regulatory obligations (e.g. when complying with UK money laundering regulations).
You have certain rights over your personal information when using automated decision making. If you would like more information on this, please see the “Your data subject rights and how to exercise them” section below.
Your data subject rights and how to exercise them
You have rights relating to the personal information we hold about you, however, they may be subject to various exceptions and limitations.
You can request to exercise your rights at any time by contacting us using the details below.
Right to be informed: We are obliged to provide clear and transparent information about our processing activities of your personal information.
Right to request access to your personal information (commonly known as a “data subject access request”): You have the right to understand what personal information we hold about you and why.
Right to request correction of the personal information: If you believe that we hold inaccurate or incomplete personal information, you have the right to request us to rectify or correct your personal information.
Right to request erasure of your personal information: You may ask us to delete or remove personal information where there is no good reason for us to continue to process it. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons.
Right to request restriction of processing of your personal information: You may ask us to stop processing your
personal information. We will still hold the data but will not process it any further. You may exercise the right to
restrict processing when one of the following conditions applies:
- The accuracy of the personal information is contested
- Processing of the personal information is unlawful
- We no longer need the personal information for processing but the personal information is required for
part of a legal process
- The right to object has been exercised and processing is restricted pending a decision on the status of
the processing.
Right to data portability:You may request your personal information be transferred to another controller or
processor, provided in a commonly used and machine-readable format. This right is only available if the original
processing was on the basis of consent, the processing is by automated means, and if the processing is based on the
fulfilment of a contractual obligation.
Right to withdraw consent: You may withdraw consent at any time if we are relying on your consent to process your personal information. This won’t affect any processing already carried out before you withdraw your consent or processing under other grounds.
Right to object: You have the right to object to our processing of your personal information where:
- Processing is based on legitimate interest
- Processing is for the purpose of direct marketing
- We no longer need the personal information for processing but the personal information is required for
part of a legal process
- The right to object has been exercised and processing is restricted pending a decision on the status of
the processing.
We may need specific information from you to help us confirm your identity before we can review your request.
The simplest and quickest way to request this information is by completing our simple online request form.
Alternatively, you can, write to us at the address below:
Data Subject Request
Yorkshire House
Yorkshire Drive
Bradford
West Yorkshire,
BD5 8LJ
Data protection questions and complaints
If you have any questions or are unhappy about this document, how we use your information or any of your rights, contact our Data Protection Officer.
By email: dpo@ybs.co.uk
By post: Data Protection Officer, Yorkshire House, Yorkshire Drive, Bradford, West Yorkshire, BD5 8LJ
If you’re not satisfied with the way we handle your complaint, you can raise a complaint directly with the UK Information Commissioner’s Office. See www.ico.org.uk for details.