We want you to know that TSB respects the information we hold on you and that we take the security of your information very seriously.
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018. This regulation gives people greater control over how companies and organisations use their personal information.
We have updated our Data Privacy Notice in line with GDPR, which sets out information on how we hold and handle your data. It includes:
- what kind of information we collect
- how we use it
- when we may need to share it
To find out more about GDPR and what this means for you, read our handy frequently asked questions
Our Data Privacy Notice
Your information will be held by TSB Bank plc ('TSB').
UK Data Protection Laws require us to manage all personal information in accordance with the Data Protection Principles. In particular, we are required to process your personal information fairly, lawfully and in a transparent manner. This means that you are entitled to know how we intend to use any information you provide. You can then decide whether you want to give it to us in order that we may provide the product or service that you require. All our employees are responsible for maintaining customer confidentiality. We provide training and education to all employees to remind them about their obligations. In addition, our policies and procedures are regularly audited and reviewed.
Customer Data Privacy Notice
Information updated March 2020.
We are TSB Bank, 20 Gresham Street, London EC2V 7JA
We want you to have trust and confidence in the way we deal with your information.
The UK is a world leader in data protection and privacy. To comply with UK laws, we have to manage your personal information fairly, lawfully and transparently. This means you’ll know how we use your information and we’ll tell you about your rights. You can then decide whether you want to give us your information so that we can provide the product or service you need.
All our employees are responsible for maintaining customer confidentiality. We provide training and education to all employees and we regularly review our policies and procedures. Our aim is to make sure that you have confidence in TSB and feel comfortable about giving us your information. We think that safely looking after your information is a key part of our relationship.
We have a dedicated team that looks after data privacy rights. We also have a Data Protection Officer (‘DPO’) to guide the business and oversee our use of your information.
The Data Rights Team
2138 Coventry Road
Birmingham B26 3JW
You can also contact our team by emailing
Data Protection Officer
The Data Protection Officer
20 Gresham Street
London EC2V 7JA
Providing our products and services.
When you apply for a product or service, and throughout our relationship, you’ll provide personal information to us. We’ll also collect certain information about you from others.
Whose data will we receive?
What type of data will we receive?
Who will send us data?
All TSB customers.
Data confirming your identity.
Data relating to credit history and status of you or any associated person.
Data relating to any fraudulent activity or suspected fraudulent activity concerning you or any associated person.
Data relating to Politically Exposed Persons (PEPs).
Credit Reference and Fraud Agencies. See more information below.
CIFAS, a not-for-profit fraud prevention membership organisation.
For more information on CIFAS, go to www.cifas.org or write to:
Joint account holders.
Where one person opens a joint account they'll provide us with the name and address of the joint account holder, who will also become a TSB customer.
The person who opens the account, or adds the joint account holder to an existing account.
Company directors, significant shareholders, business partners etc.
For business accounts, we'll receive personal data relating to all people who own, or have a controlling interest, in the business account.
The individual who opens the account, or who notifies us of additional people associated with the business or account.
TSB Added Value Accounts ('TSB AVA'). If you hold a TSB Added Value Account, we work with business partners to provide the additional benefits to you.
These business partners will pass your personal data to us if it is relevant to our relationship with you. For example, they'll inform us if you notify them of a change in your contact details. They'll also tell us if you make a claim on an insurance provided by TSB AVA. However they will not normally provide us with details of the claim.
TSB's business partners, where you choose to use their products or services in association with TSB.
Guarantors, deposit providers, and similar.
If a person guarantees to pay TSB any sums thats a TSB customer may owe, or provides a deposit (for example when a TSB customer takes out a mortgage) we'll record enough details to let us contact them if/when needed. Where they provide the deposit from their bank account, we'll record the account details.
|The TSB customer.|
Property vendors, employers and others who interact with TSB customers.
If a person takes out a TSB mortgage to purchase a property they will, in most cases, give TSB the vendor's name and address. Where another person pays the mortgage deposit, TSB will note the name, address and account details of the person paying the deposit. In some circumstances, TSB customers provide us with their employers details, such as name, address and payroll number.
The TSB mortgage holder.
Providers of professional services.
Business/trading name, address, contact details, internal reference, membership of professional bodies, levels of insurance (if any), identity of client and other information provided to us in the course of delivering the professional services in question.
TSB customer, the person or organisation you are providing professional services to, professional bodies and public sources.
Name, address, property details, financial details.
Your mortgage advisor.
We use this personal information to do all of the things you expect from us. And to meet our obligations to you under our Terms and Conditions.
- recording money in and out of your accounts
- providing you with products and services
- telling you about important changes or developments to the features and operation of these products and services
- responding to your enquiries and complaints
- carrying out financial reviews
- administering offers, competitions and promotions
- updating, consolidating and improving the accuracy of our records
- managing your relationship with us
- arrears and debt recovery activities
- crime detection, prevention and prosecution.
We won’t be able to open or maintain an account or service if you fail to provide certain information.
Occasionally TSB receives names and addresses (including email addresses) of non-customers who it’s thought may be interested in our products and services.
In these circumstances, where we have your consent, we’ll let you know by email or post of the products or services we believe may be of interest. If we don’t already have your consent, we’ll tell you about our products and services by post in accordance with our legitimate interests to promote our business. You have the right to opt out of this marketing at any time, by following a link on the email or by contacting our Data Rights Team.
Providing products with other service providers.
As well as our core banking services, TSB combines with others to provide additional services. We do this where we believe it’s in your interests and ours, or where it’s necessary to deliver the service you’ve asked for. This involves passing some of your personal information to TSB business partners who help provide these products. We only pass the minimum information needed to these TSB business partners. And we always make sure that your information remains protected as required under UK law, including laws regulating the sending of marketing messages to you.
Where you apply for a product or service that’s delivered with a business partner, we’ll collect your personal information and use it to process your application and provide these services in the ways described below:
Pick and Protect insurance
Pick and Protect insurance lets you pay for the cover you want, when you want it. We provide this insurance by working with our partner, Aviva. Pick and Protect insurance is underwritten and administered by Aviva.
When you decide to take out Pick and Protect insurance, you’ll be asked to provide information which will be passed to Aviva.
Aviva is a separate data controller. They’ll tell you about any information they hold that relates to you, what they do with it and why. They’ll also give you their contact details and tell you about your privacy rights.
TSB and Aviva will work together to make sure you receive the best service as a TSB Pick and Protect customer. This means some information will continue to pass between Aviva and TSB. Aviva will let TSB know when the policy has started. If you tell either TSB or Aviva that your contact details have changed, they’ll let each other know to keep records up-to-date. It’s a good idea to make sure you give both TSB and Aviva your up-to-date contact details.
Aviva will pass high level information about Pick and Protect insurance to TSB, including aggregate claims data. However they won’t provide details of individual claims that you make, or that are made against you or other customers.
TSB’s Added Value Accounts (TSB AVAs)
TSB’s market leading Added Value Accounts give customers a range of products and benefits, depending on the accounts you hold and the products and benefits you choose.
These products are provided by our business partners. They’ll be made known to you when you select the relevant product.
To help you benefit from these products, TSB must pass the information you give us to the business partner providing the service. For example, if you take out mobile phone insurance, details of your handset may be passed to the business partner providing the insurance.
These business partners are separate data controllers. They’ll tell you about any information they hold that relates to you, what they do with it and why. They’ll also give you their contact details and tell you about your privacy rights.
TSB will work with these business partners to give you the best possible service. This involves some information continuing to pass between them and TSB. They’ll let us know when you make use of the product or service. If you tell either TSB or the business partner that your contact details have changed, they’ll let each other know to keep records up-to-date.
It’s a good idea to make sure you give both TSB and the relevant partner your up-to-date contact details. They’ll also pass to TSB high level information about the take-up of the products by TSB customers and benefits provided or claimed. But they won’t provide details of individual customers. Where there is a dispute, they’ll pass information to TSB to help us deal with the dispute.
We use your information so we can deliver the banking service that Britain wants in the 21st century. This includes using your information so we can:
Determine your eligibility.
Like all banks, when you apply for products or services, we use automated processes to carry out financial reviews and make faster decisions (for example determining you eligibility for an account or loan). But we want to make sure this works for you and us.
We’ll use automated processes to help decide whether you’re eligible for a particular product, the appropriate amount of credit that we should provide, and to carry out credit and fraud prevention checks. Due to the sheer amount of information involved and the volume of applications, routine human involvement is impractical or impossible. So to allow us to provide banking services, we need to do this work in an automated way. Some fraud checks that we carry out are necessary to meet our legal obligations.
Based on the information you provide us, we’ll compare this against different metrics to determine whether you meet the eligibility criteria for an account. Or to determine whether you’ll be able to make repayments on a product.
We work hard to make sure we make the right decision. Sometimes this means saying no to offering you an account or product. In making these decisions, we’ll pass information to, and receive information from, Credit Reference Agencies.
If we make an automated decision on something important to you, we’ll always allow you to contest the decision, give your views and make sure there’s proper human involvement. If you want to exercise this right, please contact our Data Rights Team using the contact details in section 1. Where possible you should provide any additional relevant information you’d like us to consider. The logic and outcomes of this decision-making are tested regularly to make sure they’re fair, effective and unbiased.
Improve our performance.
We’ll use your information to make sure we give you and other customers the best possible service.
This includes testing new systems, checking upgrades to existing systems, training, undertaking transactional analysis, conducting audits and assessing lending and insurance risks. It also involves customer modelling, statistical and trend analysis aimed at developing and improving products and services, as well as providing information to Regulators. We do this to meet our legitimate interests in providing better services to our customers and making sure your information is appropriately protected.
Send Direct Marketing and Promotional Material.
We take great care to make sure that information you receive from TSB Bank is likely to be of interest to you. We do this by comparing our range of products and services with what we know about your needs and interests. We may ‘profile’ TSB customers to allow us to identify relevant opportunities to promote TSB services to individual customers or prospective customers. This may include reviewing historic and current data about which account or services you hold, the way you operate your accounts, your account balances and the transactions on your TSB accounts. This could include analysis of individual payments in and out of your accounts.
The profiling we carry out will aim to ensure the marketing of our products and services is likely to be of interest to you. We’ll do this through TSB channels, such as our branches, websites, mobile apps, telephone service; or through non-TSB channels, such as social media, websites, radio or TV advertising.
The lawful basis for the profiling we do, and any tailored marketing through these channels, is our legitimate interests. This means we have a legitimate interest in carrying out these activities in order to promote our business and to help ensure that our customers only receive useful information which is likely to be of interest to them. You can object to this by contacting our Data Rights Team. This means you’ll see more general marketing, and the pages and ads may be less relevant to you; the amount of advertisements will generally remain the same.
We value our relationship, so we do our best to only send you information we think may be of interest to you personally. You decide if you want to receive direct marketing from us, whether by post, email, phone or text message. We’ll only send direct marketing to TSB customers in this way if you’ve consented to receive it. And don’t worry, you can withdraw your consent at any time. Simply contact our Data Rights Team, click ‘unsubscribe’ in any marketing email we send you, or follow the instructions in our marketing text messages.
Make the most of social media.
If you interact with TSB through social media we may use your information to help us communicate.
To deliver the best customer experience, we partner with software providers that allow us to connect with you via online communities and blogs. These partners manage personal information only in accordance with our instructions. TSB can also require these partners to delete your information, or return it securely to TSB, at the end of our contract with them.
Do what you ask us to do.
If you request particular services from us, or ask a question, we’ll use your personal information to respond. This is to make sure we can provide the best possible service.
Comply with legal obligations.
This might include providing information to HMRC, preventing fraud, money laundering and doing what our Regulators require. We only do this where strictly necessary to comply with these legal obligations.
Deliver better banking for Britain.
This includes using personal information to make sure we:
- manage and develop customer relations
- assess the suitability of existing and proposed products for our customers
- pass information to Credit Reference Agencies (as described below)
- conduct internal or external reviews of our performance and quality
- instruct our internal or external legal teams
- detect and prevent fraud and liaise with police and other anti-fraud agencies
- engage with and interact on social media
- make sure we manage TSB as effectively and efficiently as possible
We use your personal information in this way as it’s in our business interests. It also allows us to defend our rights, provide a better service to our customers and understand what our customers want from us. Whenever we use your personal information, we’ll always make sure we work to protect your interests and rights. We won’t use your personal information for any purpose incompatible with those set out above. We’ll keep your data appropriately secure, and let you know if we use it for a new purpose.
Occasionally we’ll ask for your specific consent to use your personal information. This might be when we want to record sensitive information, such as details about your health or ethnicity. Asking for your consent gives you control over how this information is used. You can withdraw this consent at any time.
We treat your personal information as private and confidential. In some instances we may disclose it outside TSB for the purposes set out above (including sharing information with partners who help us provide services). This may include sharing it with subcontractors. They’ll act solely on our instructions or behalf and will only use your information for the purposes set out above.
We’ll disclose information to others to meet our contractual obligations to you in accordance with the Terms and Conditions, including where:
- your information relates to a joint account, where the other account holder(s) may be entitled to see your transactions
- it’s needed by other parties connected with your account (including guarantors)
- we need to share information with other lenders who also hold a charge on your property.
We’ll also disclose information where strictly necessary to comply with our legal obligations, including where:
- HMRC or other authorities require it
- the law, a regulatory body or the public interest requires it
- it’s required as part of our duty to protect your accounts. For example we are required to disclose your information to the UK Financial Services Compensation Service (FSCS)
- it’s required by us or others to detect, investigate or prevent crime or fraud.
Information can also be made available where you consent or ask us to. If you give your consent, you can withdraw it at any time and we’ll stop disclosing the information in that way.
Credit Reference Agencies.
In order to process your application for a product or service, we’ll perform credit and identity checks on you with one or more credit reference agencies (‘CRAs’). If you use our banking services we may also make periodic searches at CRAs to help manage your account.
To do this, we’ll supply your personal information to CRAs and they’ll give us information about you. This will include information from your credit application and about your financial situation and history. CRAs will supply us with public data (including the electoral register) as well as shared credit, financial situation, financial history and fraud prevention information.
We’ll use this information to:
- assess your creditworthiness and whether you can afford to take out a product
- verify the accuracy of the data you’ve provided
- prevent criminal activity, fraud and money laundering
- manage your account(s)
- trace and recover debts
- make sure any offers provided to you are appropriate to your circumstances.
We’ll continue to exchange information about you with CRAs while you have a relationship with us. We’ll also inform them about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they’ll place a search footprint on your credit file that may be seen by other lenders.
If you’re making a joint application, or tell us that you have a spouse or financial associate, we’ll link your records together. So make sure you discuss and share this information with them before sending the application. CRAs will also link your records together. These links will remain on both your files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with CRAs are explained in detail at www.experian.co.uk/crain CRAIN is also accessible from each of the CRAs that TSB uses — visiting any of these links will take you to the same CRAIN document:
Fraud Prevention Agencies.
To make sure we help in the international fight against terrorism, money laundering, modern slavery and other criminal activities, the government requires us to screen applications made to us. As a result, we will disclose information to fraud prevention agencies and to government bodies. If we think there is a risk of fraud, we may block access or stop activity on an account. We will study patterns of activity, check for unusual transactions and monitor devices used to access TSB’s systems, including Internet Protocol (IP) addresses and may include using widely available geographical mobile phone technology to assess the location.
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.Consequences of processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.Data transfers
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
The UK and other EEA countries provide a high standard of data protection and privacy. However we may run your accounts and provide other services from centres outside the UK and EEA that do not have a similar standard of data protection laws. If so, we’ll require your personal information to be protected to at least UK standards. So we only transfer personal information to:
- countries that have been confirmed as protecting personal information to UK and EU standards
- companies in the USA certified as providing an adequate level of protection.
In other instances, we’ll put contractual commitments in place which make sure personal information is protected to UK and EU standards.
If you want to learn more about the specific countries to which we transfer personal data, or need a copy of the safeguards we have in place for particular countries, contact the Data Rights Team.
We may process payments through other financial institutions, such as banks and the worldwide payments system operated by the SWIFT organisation. For instance, this can happen if you make a CHAPS or foreign payment. These external organisations may process and store your personal information abroad and may have to disclose it to foreign authorities to help them in their fight against crime and terrorism. If these are based outside the UK and EEA, your personal information may not be protected to standards similar to those in the UK. However we’ll take steps, including using contractual commitments, to make sure that an adequate level of protection is provided.
We’ll keep your information for as long as your account or product application takes. And for as long as you have accounts or products with us. We’ll also keep your personal information for a certain period after your application has ended or you’ve closed your accounts.
When determining how long this period will last, we take into account our legal obligations, the expectations of financial and data protection regulators, and the amount of time we may strictly need to hold your personal information to carry on our business or defend our rights. For example, if you have an account with TSB, we’ll keep your information and account details while the account is open. To meet our legal and regulatory requirements, we must keep much of this information for a number of years after the account is closed — even if you do not have another account with us.
We’ll also need to keep your information in archived form in order to defend our legal rights. This may be for the period during which legal claims can be made under applicable law. In the UK this is six years for contractual claims. We have policies and procedures in place to make sure that we delete information no longer needed for any of these purposes.
You have certain rights over your personal information. These include the right to access a copy of your personal information, or have some elements of it transmitted to you or another company in a common electronic format. In certain circumstances you can have your personal information corrected or erased, or you can restrict our use of it. You also have the right to object to the way we use your personal information as described above.
We generally won’t charge you to exercise these rights. You have the following rights:
You have a right to ask TSB if we have your personal information. If we do, you have a right to know:
- why we have it
- what type of information we possess
- whether we have or will send it to others, especially outside the European Economic Area (list of EEA countries)
- how long we will keep it
- where we got it from
- details of any automated decision-making.
If you want, you can ask for a copy of your information. It may help you to use this form.
Where any of your information is incorrect, you have a right to tell us to correct it promptly. Please tell us as quickly as possible if you change your address or other contact details. If your information is incomplete, you can ask us to correct this too.
In certain circumstances, you’ll have the following extra rights:
Right to object
Depending on the legal basis for which we are using your information, you may be entitled to object. For example, where we’re using your information connected with marketing, we will stop if you object. However, if we’re using your information to meet certain legal obligations, we may continue to do so even if you object.
Erasure (right to be forgotten)
You may have a right to have some or all of the information we hold about you deleted. However you should be aware that, as a bank, we are required to retain many records even after you close your account.
In certain circumstances you would be entitled to receive some of your information from us electronically. We can either pass the information to you, or to another person or business if you want.
You might also be entitled to ask us to restrict our use of your information — for example if you think the information we hold on you is incorrect.
We’ll use automated systems to make decisions about whether you’re eligible for a particular account or products, and to carry out credit and fraud prevention checks. Based on the information you give us, we’ll compare this against different metrics to determine whether you meet the eligibility criteria for an account, or to work out whether you’ll be able to make repayments on a product.
We work hard to make the right decision. Sometimes this means saying no to offering you an account or product. If we make an automated decision on something important to you, we’ll always allow you contest the decision, give your views and make sure there’s proper human involvement. The logic and outcomes of this decision-making are tested regularly to make sure they’re fair, effective and unbiased.
If you consent to us using your information, you have the right to withdraw that consent at any time.
You can exercise these rights by contacting the Data Rights Team using the details shown in section 1.
We aim to work with you on any request, complaint or question you have about your personal information. However, if you believe we have not adequately resolved a matter, you have the right to complain to the Information Commissioner’s Officer (the ‘ICO’). You have a right, at any time, to complain to the ICO. As an independent UK authority, it upholds information rights in the public interest, promotes openness by public bodies and data privacy for individuals. You can visit their website at https://ico.org.uk or ask for details from our Data Rights Team.
Let us know how you want us to contact you
Simply log in to your Internet Banking and update your permissions via the “Change details” link and choose either email, post, SMS or over the phone.
Don’t worry, you can change your mind at any time.