This Privacy Notice explains:

  • who we are
  • how we collect, share and use your personal information
  • how you can exercise your privacy rights
Personal information is any information that can be used to identify you as a unique individual.

Yorkshire Building Society (YBS) includes the trading names under which we operate (Chelsea Building Society, the Chelsea, Norwich and Peterborough Building Society, N&P and Egg) and its subsidiary companies. Any references to ‘us’, ‘our’ and ‘we’ means ‘YBS’.

YBS is the data controller (we decide how and why your personal information is handled) responsible for your personal information.
 

 Download a copy of this Privacy Notice

If you are a Share Plans customer, you can find out how we use your personal data in our Share Plans Privacy Notice .


If you are a job applicant, you can find out how we use your personal data in our Applicant Privacy Notice.

If you are an Employee of YBS, you can find out how we use your personal data in our Employee Privacy Notice.

We have also produced a child friendly privacy notice for children and young people.

We are committed to taking good care your personal data and ensuring the highest standards of privacy. If you have any questions about this notice, don’t hesitate to get in touch with us. We’ll be more than happy to help.

To comply with the General Data Protection Regulation (2016/679), if you are in the European Union, we have appointed a European representative.
 
If you wish to contact them, their details are as follows:

Bird & Bird GDPR Representative Services SRL
Avenue Louise 235
1050 Bruxelles
Belgium
 
 
Key Contact: Vincent Rezzouk-Hammachi
We collect your personal information when you:
 
  • apply for our products or services in branch, online or on the phone
  • update your information online, in branch or over the phone (such as when you change your address)
  • visit us in branch
  • speak to us on the phone
  • visit our website, use our online web chat services and any digital or mobile app we may offer now or in the future
  • send us letters, emails or other documents

The types of personal information we collect from you include/are:

  • Identity details which includes your full name, title, date of birth, age, unique personal identifier and account number
  • Contact details which includes your home address, email address and phone number
  • Personal information about your family which includes your marital status, next of kin, dependents and emergency contact details
  • Financial data which includes your bank account number, credit/debit card number, earnings, income, expenditure, spending habits, transaction history, tax reference number and source of funds
  • Profile data about you which includes your sex, occupation, employment status, citizenship status, residential status, property details, occupancy status and insurance information
  • Identification documents which includes your driving licence, passport, National Insurance number and other national identifiers
  • How you interact with us which includes call recordings, photographs, video recordings, or any other form of communication
  • Technical data which includes internet protocol (IP) address, location data, operating system, time zone etc.


We also collect Special Categories of Personal Data which includes:

  • Health data which includes any physical disability, mental disability or any medical condition
  • Criminal data which includes information about criminal convictions and offences, allegations (proven or unproven) and investigations, penalties and restrictions, County Courts Judgements and insolvency details as well as information relating to the absence of convictions
  • Sensitive data: Information about your race or national or ethnic origin, religion or beliefs, sexual orientation and political affiliations

It is important that the personal information we hold about you is accurate and up to date.

Please keep us informed of any changes to your personal information during your relationship with us, such as change of contact details etc.

Sometimes we work with carefully selected third parties and we may receive your personal information from them.
 
The third parties include:
 
  • business partners
  • suppliers
  • sub-contractors
  • advertisers
  • referrers
  • Fraud prevention agencies such as CIFAS and National Hunter – you can learn more about how your personal information is used here:  https://www.cifas.org.uk/fpn or https://nhunter.co.uk/privacy-policy
  • Credit Reference Agencies (CRAs) are used to perform credit, identity and fraud prevention checks against public (electoral register) and shared credit information (You can learn more about how your personal information is used here: Credit Reference Agency Information Notice (CRAIN) | Equifax UK)
  • Public sources (such as the electoral register, Companies House).
We may obtain personal information relating to you from other individuals as part of the application process for one of our products or services. This can include individuals who are:
 
  • a joint applicant on an account you hold or are applying for
  • a trustee on an account
  • a parent
  • a guardian
  • a nominated representative
  • acting under a Power of Attorney or similar authority
  • a mortgage broker or mortgage intermediary (such as Accord Mortgages) who is acting on your behalf
If someone acting on your behalf provides this information, we’ll record what’s been provided and who gave it to us.

When you provide personal information about another individual, we’ll assume that you have told them that you are sharing their details and where they can find more information on how we process their personal information.

We also collect information from public sources as part of our investigations and due diligence checks.
We use your personal information for the following purposes:
 

Purpose/Activity

Types of Personal Information

Legal Basis for processing your information

Processing your application for a product or service with us

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Necessary for the performance of a contract

Managing and administering your account with us

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Necessary for the performance of a contract

To manage your membership with YBS and keep in touch with you

  • Identity data
  • Contact data

Legal obligation

Sending you communication to service your account, products or services

  • Identity data
  • Contact data
  • Financial data

Our legitimate interest

Competitions, gifts and rewards, prize draws, interactive features and sending birthday greetingss

  • Identity data
  • Contact data

Legitimate interests
Consent

To manage your attendance and participation in events and promotional activities

  • Identity data
  • Contact data
  • Photographs and video recordings

Legitimate interests
Consent

To manage queries and complaints raised by you

  • Identity data
  • Contact data
  • Financial data
  • Profile data

Our legitimate interest

Testing our systems and processes

  • Identity data
  • Contact data
  • Financial data
  • Profile data

Our legitimate interest

Sharing relevant marketing about products and services

  • Identity data
  • Contact data
  • Profiling

Consent provided by the individual

Meeting our legal and regulatory obligations

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data

Legal obligations

Auditing and assuring our processes, products and services

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Our legitimate interest

Capturing CCTV images and recording in our branches and offices for safety and security

  • Identity data

Our legitimate interest

Conducting market research and surveys to understand your experience and interactions with YBS

  • Identity data
  • Contact data

Our legitimate interest

Preventing and investigating fraud

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Our legitimate interest
Legal obligation

My Voice Community

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data

Consent provided by the individual

To develop and improve our processes, systems and policies

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Our legitimate interest

Legal activities and advice

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data
  • Identification documents

Our legitimate interest

Collecting IP address when using our web site to detect suspicious activities

  • Technical data

Our legitimate interest

Developing our business and understanding how we're performing as a Building Society

  • Identity data
  • Contact data
  • Financial data
  • Profile data
  • Family data

Our legitimate interest

Manage your appointment bookings

  • Identity data
  • Contact data

Necessary for the performance of a contract

Managing Power of Attorney process

  • Identity data
  • Contact data
  • Financial data
  • Profile data

Necessary for the performance of a contract

Supporting you through the arrears and debt collection processes

  • Identity data
  • Contact data
  • Financial data
  • Profile data

Our legitimate interest

Join YBS Charitable Foundation

  • Identity data
  • Contact data

Consent provided by the individual

Processing secure funding activity access to Third Parties

  • Identity data
  • Contact data
  • Profile data

Our legitimate interest

YBS Securitisation process

  • Identity data
  • Contact data
  • Financial data
  • Profile data

Our legitimate interest

Whistleblowing Processing

  • Identity data
  • Contact data
  • Profile data

Legal obligation

Where we are processing your personal information for our legitimate interests, you may object to the processing of your personal information.

If you have provided your consent to us for processing your personal information, you may withdraw the consent that you have provided at any time.

We also collect Special Categories of Data for the following purposes:
 

Purpose/Activity

Special Category of Personal Data collected

Legal Basis

Additional Legal Basis

Preventing and investigating fraud

  • Criminal data

 

Legal Obligation

Substantial Public Interest (Preventing fraud)

Managing Anti-money Laundering requirements

  • Criminal data

Legal obligation

Substantial Public Interest (Suspicion of terrorist financing or money laundering)

To assess and accommodate our service to meet vulnerable customer needs

  • Health data

Consent provided by the individual

Explicit consent

My Voice Community

  • Sensitive data

Consent provided by the individual

Explicit consent

We’ll only ask for Special Category Personal Data when we absolutely need to and use it in limited circumstances.
When necessary, we share your personal information with:
  • service providers

  • tax, government, and any relevant regulatory authorities

  • prosecuting authorities and courts, and/or other relevant third parties connected with legal proceedings or claims

  • fraud prevention and/or law enforcement agencies

  • Fraud prevention agencies such as CIFAS and National Hunter – you can learn more about how your personal information is used here: https://www.cifas.org.uk/fpn or https://nhunter.co.uk/privacy-policy  Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years

  • third parties where you have asked us to share your information

  • third parties where it’s necessary to enter into or Necessary for the performance of a contract

  • third parties where we are required to do so by law

  • Credit Reference Agencies (CRAs) are used to perform credit, identity and fraud prevention checks against public (electoral register) and shared credit information

All companies we work with are assessed for adequacy of their security controls, so we aim to ensure that your personal data is safe.
Your personal information may be transferred to or stored in locations outside of the UK.

We will only transfer your data when:
  • we’re required or permitted to by law or regulatory requirements

  • we’re sharing data with a third party to support us in the management of your account

When transferring data, we make sure that suitable protection is always maintained by ensuring appropriate safeguards are in place. This could be by:

  • Ensuring that we transfer personal data to countries that the Information Commissioner (ICO) has deemed to provide an adequate level of protection

  • Putting suitable clauses in our contracts so that organisations take appropriate steps to give personal data the same protection it has in the UK

If you would like more information on this, please feel free to contact us by using the details provided in this notice.

We keep personal information for as long as it is required by us:

  • for the purposes described in ‘How We Use Personal Information’ section above

  • to meet our legal or regulatory obligations

  • for the exercise and/or defence of any legal claims

When determining retention periods, we consider the following:

  • the maximum or minimum retention periods identified by the law or regulatory guidance

  • our contractual rights and obligations

  • customer expectations, the nature of your relationship with us, your membership status and the types of accounts, products and services you have with us

  • current or future operational requirements

  • forensic requirements, for example, the potential need to access data no longer actively used in order to manage or respond to complaints and disputes

  • the risks involved in retention, deletion and removal

  • the cost of maintaining, storing, archiving and retrieving data

  • the capability or restraints of our systems and technology

If you would like more information on this, please feel free to contact us by using the details provided in this notice.

There may be some circumstances where we use your personal information for profiling (processing of personal information to evaluate certain things about you).

For example, to ensure that we’re providing a consistent service and giving people the best products and advice at the right times

We’ll always make sure the way we process your information is safe and not unfair to you.

Where possible, we’ll keep your details anonymous and use your information only to produce statistical reports. This way, you will not be identifiable from the data.

You have the right to object to us using your personal information for profiling activities. Please refer to the Subject rights section for more information.
There may be circumstances where we use automated decision making using your personal information.

We use automated decision making to check that we can enter into an agreement with you, and also carry out our legal and regulatory obligations (e.g. when complying with UK money laundering regulations).

You have certain rights over your personal information when using automated decision making. If you would like more information on this, please see the “Your Data Subject Rights and How to Exercise Them” section below.
You have rights relating to the personal information we hold about you, however, they may be subject to various exceptions and limitations.

You can request to exercise your rights at any time by contacting us using the details in this privacy notice.
 

Your rights:

Right to be informed: We are obliged to provide clear and transparent information about our processing activities of your personal information.

Request access to your personal information (commonly known as a “data subject access request”): You have the right to understand what personal information we hold about you and why.

Request correction of the personal information: If you believe that we hold inaccurate or incomplete personal information, you have the right to request us to rectify or correct your personal information.

Request erasure of your personal information: You may ask us to delete or remove personal information where there is no good reason for us to continue to process it. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons.

Request restriction of processing of your personal information: You may ask us to stop processing your personal information. We will still hold the data but will not process it any further. You may exercise the right to restrict processing when one of the following conditions applies:
 
  • the accuracy of the personal information is contested
  • processing of the personal information is unlawful
  • we no longer need the personal information for processing but the personal information is required for part of a legal process
  • the right to object has been exercised and processing is restricted pending a decision on the status of the processing
Right to Data Portability: You may request your personal information be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means, and if the processing is based on the fulfilment of a contractual obligation.

Right to Withdraw Consent: You may withdraw consent at any time if we are relying on your consent to process your personal information. This won’t affect any processing already carried out before you withdraw your consent or processing under other grounds.

Right to object: You have the right to object to our processing of your personal information where:
 
  • processing is based on legitimate interest
  • processing is for the purpose of direct marketing
We may need specific information from you to help us confirm your identity before we can review your request.
 
The simplest and quickest way to request this information is by completing our simple Online Request Form.

Alternatively you can:
Visit us in a branch or agency

Call us on:
0345 1200 100 for Savings Customers
0345 1200 200 for Mortgage Customers

Write to us at the address below:
Data Subject Request, Yorkshire House, Yorkshire Drive, Bradford, West Yorkshire, BD5 8LJ
If you have any concerns about the use of your personal information or the way we handle your requests relating to your rights, you can raise a complaint directly with us by using the contact details provided in this notice.
 
If you are not satisfied with the way we handle your complaint, you are entitled to raise a complaint directly with the UK Information Commissioner’s Office via the details available on their website: www.ico.org.uk.
If you have any questions about:
 
  • this privacy notice
  • the use of your personal information
  • wish to request to exercise any of your rights
please contact our Data Protection Officer using the following details:

By email:

By post:
Data Protection Officer, Yorkshire House, Yorkshire Drive, Bradford, West Yorkshire, BD5 8LJ

Updating this notice

We regularly review and, where necessary, update our privacy information contained within this notice. This was last updated 14 July 2023.