Consents Online Limited - Privacy Policy

This privacy policy sets out the basis on which Consents Online Limited (with its registered office at 2 Minton Place, Victoria Road, Bicester, Oxfordshire OX26 6QB) (referred to in this policy as we, our or us) collects and uses your personal information. Our privacy policy also provides information about your rights.

We are also registered with the Information Commissioner's Office with registration number ZA301350.

This notice covers the following:

WHAT IS PERSONAL INFORMATION?
WHAT INFORMATION DO WE COLLECT FROM YOU?
HOW DO WE USE YOUR INFORMATION?
WHAT IS THE LEGAL BASIS THAT PERMITS US TO USE YOUR PERSONAL INFORMATION?
WHAT HAPPENS IF YOU DO NOT PROVIDE INFORMATION THAT WE REQUEST?
WHO WILL WE SHARE YOUR INFORMATION WITH?
HOW DO WE USE YOUR IP ADDRESS AND COOKIES?
WHERE DO WE STORE YOUR PERSONAL DATA?
HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION FOR?
WHEN WILL WE MAKE CHANGES TO OUR PRIVACY POLICY?
HOW CAN YOU CONTACT US?
YOUR RIGHTS

Summary

In order to provide the services to you:

Information related to your current situation:

We will ask you for some information with relation to your current financial status and how it has been affected by the current COVID-19 pandemic to ensure that any products supplied are suitable for you. We will also ask you to manually input some information relating to your current financial income and expenditure. These manually inputted fields will be passed to M&S Bank. This information will not be retained by Consents Online for longer than 90 days.

Transaction Data:

To simplify the income and expenditure process, we may present you with the option to access your bank transaction data from your Bank Account via Open Banking and share it with M&S Bank (based on your consent).
We will contact your bank to securely access your bank transaction data from your Bank Account via Open Banking and share it with M&S Bank.
You will be securely transferred to your Bank's own website where you will be required to enter your online banking credentials (Internet Banking Credentials) in order to authenticate our request to access your bank transaction data on behalf of M&S Bank.
After being granted access to your online bank account, your bank will provide us with a history of your banking transactions (Transaction Data) for the period indicated by M&S Bank.
In turn, we will at the same time:
provide your raw Transaction Data to our sister company AccountScore (registered office at 2 Minton Place, Victoria Road, Bicester, Oxfordshire OX26 6QB) who will also categorise your raw Transaction Data before sharing it with M&S Bank in a more readily accessible format.
M&S Bank will then use that Transaction Data as part of its income and expenditure assessment, and to help carry out any affordability and credit assessment(s) required by M&S Bank and as agreed by you.
You will have an opportunity to review and edit the categorised Transaction Data before submitting the income and expenditure form
Please note that the consents online service is secure and only provides M&S Bank with access to your bank Transaction Data. Consents Online cannot make payments or transfer funds to third parties or otherwise use your online bank account in any way.

Credit Reference Agency Checks:

When you use Open Banking services, we will disclose some of your data to Equifax Limited ("Equifax"), a credit reference agency, which will use this information to check your identity and (where necessary for the relevant service) your credit history and financial status.
Equifax will process your data as an independent controller, in accordance with their own privacy policy. A copy of which can be found at the link below:
www.equifax.co.uk/crain
Where your data is shared with Equifax only for the purposes of verifying your identity, we will receive only confirmation (or not) of an identity match, which will be shared with our client (the organisation with whom you requested services requiring use of Open Banking).
Where your data is shared with Equifax for the purposes of checking your credit history and financial status, we may receive additional data about you regarding your financial situation, credit history and fraud prevention information.
We only use this information for the purposes of sharing it with our client. That client will then use the information in accordance with its own privacy policy (please ensure you review this carefully), which may include use of the information to (for example):
• assess whether you are entitled to receive a product or service applied for;
• verify the accuracy of the data you have provided; and
• prevent criminal activity, fraud and money laundering.
When Equifax receives a search request from us it will place a ‘search footprint’ on your credit file. The searches we undertaken do not result in a search footprint that is visible to other lenders. They are known as ‘soft footprints’ and will be visible to you on your credit report.
Please be aware that our client (and other lenders) may undertake their own searches of Equifax or other credit reference agencies, which result in a footprint which is visible to other lenders (for example, if you apply for a bank account, mortgage, loan or credit card).

This privacy policy sets out in more detail how the services will work and how we will use your data. This privacy policy will be updated as we make available a wider range of services to you that enable you to take advantage of open banking products and services. If there are any changes to the way in which your personal information is used, we will update this privacy policy and notify you of the changes. Please note that this privacy policy was last updated on 6th March 2019.

WHAT IS PERSONAL INFORMATION?

Personal information is any information that tells us something about you. This could include information such as your name, contact details and bank account details.

WHAT INFORMATION DO WE COLLECT FROM YOU?

2.1

We will collect and process the following information about you:

2.1.1

your name, surname, email address and mobile phone number. You will provide this information directly if you register for our services on consents.online ("Site") and create your own profile on our Site. If you opt in to automatic registration and SMS verification, we will use this information to create your profile on our Site for you and use your mobile phone number to verify your access to your Transaction Data.

2.1.2

When you use Open Banking services, you will be securely transferred to your Bank's own website where you will be required to enter your online banking credentials (Internet Banking Credentials) in order to authenticate our request to access your bank transaction data on behalf of M&S Bank.

2.1.3

our online portal allows you to control how data from your Bank Account(s) is used by M&S Bank ("Approved Provider") and link such Bank Account(s) to your profile on our Site. This will enable us to report on your record of transactions as revealed in your Bank Account history (your "Transaction Data") to your Approved Provider.

2.1.4

Your Transaction Data.

2.1.5

When you use Open Banking services, we will disclose some of your data to Equifax Limited ("Equifax"), a credit reference agency, which will use this information to check your identity and (where necessary for the relevant service) your credit history and financial status. Equifax will process your data as an independent controller, in accordance with their own privacy policy. A copy of which can be found at the link below: https://www.equifax.co.uk/crain

2.1.6

information you provide us by filling in forms on our Site (including your name, address, email address, mobile number(s)).

2.1.7

a record of correspondence if you contact us or we contact you (including personal information you choose to provide us with, such as your name, surname and email address).

2.1.8

proof of identification or details to confirm or verify your identity, address, Bank Account or payment card.

2.1.9

details of your visits to our Site (including traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise) and the resources that you access.

2.1.10

information from third parties, including your employer or a referee.

2.1.11

In addition, we will ask you to provide your contact and account details and some information about your employment status and your current financial status and how it has been affected by the current COVID-19 pandemic. If you do not opt for Open Banking, we will also ask you to manually input some information relating to your current financial income and expenditure. We will share this information with M&S Bank based on your consent. This information will not be retained by Consents Online for longer than 90 days.

HOW DO WE USE YOUR INFORMATION?

3.1

We will use the information in connection with our services for the following purposes:

3.1.1

if you opt in to automatic registration, to automatically-register your account with consents.online using the information you have provided.

3.1.2

to send you an SMS text message with a passcode to enable you to access your account and Transaction Data.

3.1.3

if you do not opt in to automatic registration, to invite you to register for our services, where you will create a username and password. This may also include your fingerprint, if applicable to your device.

3.1.4

to access, use and retrieve your Transaction Data following the process set out in section 3.3.

3.1.5

to carry out Account Ownership Verification using the Equifax Bank Account Verifier following the process set out in section 3.4.

3.1.6

to administer the contract we have with you.

3.1.7

to investigate where you report a problem with our Site.

3.1.8

to verify or enforce compliance with the policies governing our Site and/or applicable laws.

3.1.9

fraud and crime prevention.

3.1.10

to protect against misuse or unauthorised use of our Site.

3.1.11

to comply with our regulatory obligations, to bodies such as the FCA.

3.2

Through our online portal you can control the access rights to your Transaction Data and Bank Account(s). For example, you will be able to tell us the:

3.2.1

reasons for disclosing your data to your Approved Provider;

3.2.2

type of access granted and for how long (i.e. whether this is unlimited, until a specific date or on a one-off basis only); and

3.2.3

frequency of access to your information (i.e. whether this is restricted to daily or weekly access).

3.3

Where you enter your Internet Banking Credentials, you accept that the following process will be undertaken to access, use and retrieve your Transaction Data:

3.3.1

we will analyse the Transaction Data and separate out your transactions into different categories and set out the amount you spend within each category. It will also set out the credits and debits from your Bank Account(s) over the same period;

3.3.2

depending on your instructions your Approved Provider may be able to:

view and monitor your Bank Account and the balance on your Bank Account on a one-off basis or as required by the Account Provider;
copy Transaction Data from your Bank Account from time to time;
store the copied Transaction Data on their own server
use and process the Transaction Data for the purposes specified by the Account Provider in its privacy policy.

3.4

Where you provide your Approved Provider(s) with your Internet Banking Credentials, you accept that the following process will be undertaken to verify the ownership of your Bank Account(s) as part of the Account Ownership Verification:

we will arrange for the transfer of your name, surname, address, email address and date of birth provided to us to Equifax;
Equifax will compare the sort code and account number taken from your online bank account which has been provided through Open Banking to Equifax’s current account database. The name and address details associated with the bank account are then compared to the details provided by you to verify the ownership of your Bank Account; and then
Equifax will send the results to us and we will provide these to your Approved Provider.

3.5

Our access, the access of your Approved Provider and Equifax will be limited to the process set out in section 3.3 and 3.4 and will be in accordance with your instructions.

3.6

Your Approved Provider will have its own privacy policy, which will explain in further detail how your Approved Provider will use your personal information. These can be found here: Please note that we do not accept any responsibility for the Account Provider’s privacy policy.

3.7

We also have an app, which is available for download from Apple's App Store and Android's Google Play Store. Please be aware that separate terms will govern your use of our app and you should read these carefully when you download the app.

WHAT IS THE LEGAL BASIS THAT PERMITS US TO USE YOUR PERSONAL INFORMATION?

4.1

Under data protection legislation, we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation. We rely on the following legal basis to use your information:

4.1.1

where we need information to perform the contract we have entered into with you. This includes:

to access, use and retrieve your Transaction Data (following the process set out in section 3.3) to deliver our services to you;
to carry out Account Ownership Verification checks (following the process set out in section 3.4) to deliver our services to you; and
to administer the contract we have with you.

4.1.2

where we need to comply with a legal obligation. This includes compliance with our regulatory obligations, to bodies such as the FCA.

4.1.3

where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:

inviting you to register for our services;
to investigate where you report a problem with our Site;
to verify or enforce compliance with the policies governing our Site and/or applicable laws;
fraud and crime prevention; and
to protect against misuse or unauthorised use of the Site.

4.2

In more limited circumstances we may also rely on the following legal bases:

4.2.1

where we need to protect your interests (or someone else's interests).

4.2.2

where it is needed in the public interest or for official purposes.

WHAT HAPPENS IF YOU DO NOT PROVIDE INFORMATION THAT WE REQUEST?

5.1

We need some of your personal information in order to perform our contract with you. For example, we need to know your name, surname, address, email address and date of birth so we can perform the Account Ownership Verification service.

5.2

Where information is needed for these purposes if you do not provide it we will not be able to perform our contract with you and provide you with our services. We explain when this is the case at the point where we collect information from you.

WHO WILL WE SHARE YOUR INFORMATION WITH?

6.1

We will share your personal information with:

6.1.1

your Approved Provider, where we are required to do so in order to provide you with our services;

6.1.2

your Bank and Equifax (to the extent such information is required in order to provide you with the services);

6.1.3

regulators, including the FCA, where we are required to do so to comply with our regulatory obligations;

6.1.4

AccountScore Limited, to assist us with categorisation of your Transaction Data in order to provide you with the services; and

6.1.5

third parties where we are required to do so by law. For example, if a government authority is conducting an investigation and requires us to share your personal information.

6.2

We will use third parties from time to time to help us in delivering services to you. Where we use such third parties, we will ensure appropriate safeguards are in place to protect your personal information and to ensure that it is solely used for legitimate purposes in line with this privacy policy.

6.3

Please note that:

6.3.1

we will only share your Transaction Data and Account Ownership Verification results with your Bank and your Approved Provider for the purpose of providing our service to you; and

6.3.2

we will only share your name, surname, address, email address and date of birth to Equifax for the purpose of providing our services .

COOKIES AND ONLINE TOOLS

When you use our website, we will use cookies or similar online tools.

Cookies are small pieces of data that websites store on your browser when you visit them. The cookies or online tools we use are 'strictly necessary' to ensure that our website is able to function properly. We don't have to ask for your consent to use these, they are not used to identify you, and will only be used for the duration of your session.

You may disable any cookies or other online tools by changing your browser settings, but this may affect how the website functions. For more information about how to use your browser settings to clear your browser data or to manage cookies, check your browser 'Help' function.

WHERE DO WE STORE YOUR PERSONAL DATA?

8.1

All information you provide to us is stored on our secure servers.

8.2

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

8.3

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION FOR?

9.1

As a general rule, we will keep your personal information for the duration in which we are providing the services to you, and for a period of six years thereafter. However, where we have statutory obligations to keep personal information for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer.

WHEN WILL WE MAKE CHANGES TO OUR PRIVACY POLICY?

10.1

Our privacy policy was last updated on 6th March 2019.

10.2

Our privacy policy will be reviewed and amended from time to time and we will notify you of the changes.

10.3

Any changes we may make to our privacy policy in the future will be posted on this page. We will update the privacy policy to reflect our service offering.

HOW CAN YOU CONTACT US?

11.1

Questions, comments and requests regarding this privacy policy are welcomed at:

11.1.1

enquiries@consentco.co.uk;

11.1.2

Consents Online Limited, Floor 33, Euston Tower, 286 Euston Road, London NW1 3DP; or

11.1.3

by telephone: 0800 180 8570.

11.2

If you have any concerns about the information we hold, please contact our Data Protection Officer via the above methods.

11.3

If you still feel dissatisfied, you can appeal to our Managing Director at the above address.

YOUR RIGHTS

12.1

Complaints

Please contact us by using the details in section 11 and we will try to resolve your issue. You also have the right to lodge a complaint with the Information Commissioner's Office ("ICO"). You can contact the ICO by writing to them at: Information Commissioner's Office Client Services Team, Wycliffe House, Water Lane, Wilmslow, SK9 5AF or by visiting their website for further information at https://ico.org.uk/.

12.2

You have a number of rights in relation to your personal information, which include the following:

12.2.1

You have the right to request a copy of the information that we hold about you. This right relates to personal information that you have provided to us that we need in order to perform our agreement with you and personal information where we are relying on consent to process your personal information.

12.2.2

You can also ask us to:

provide a copy of the personal data we hold about you in a commonly used and machine-readable format; and
send your personal data to another data controller (e.g. another service provider).

12.2.3

We want to ensure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate, incorrect or incomplete.

12.2.4

You have the right to request us to erase the personal information we hold about you in certain circumstances, which is also known as the "right to be forgotten":

if we are continuing to process your personal information beyond the period when it is necessary to do so for the purpose for which it was originally collected
if we are relying on consent as the legal basis for processing and you withdraw consent
if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing
if it is necessary to delete the personal information to comply with a legal obligation

12.2.5

You have the right to ask us if we are processing your personal data. If so, you have the right to access such personal data and obtain certain information about our processing, including the purposes of our data processing and the categories of personal data which we are processing.

12.2.6

You have the right to object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information

12.2.7

You have the right to ask us to restrict the processing of your personal data where you consider that:

personal information is inaccurate
our processing of your personal information is unlawful
where we no longer need the personal information but you require us to keep it to enable you to establish, exercise or defend a legal claim
where you have raised an objection to our use of your personal information

12.2.8

You have the right not to be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you.

12.2.9

You have the right to withdraw your consent at any time, where consent is the legal basis for our processing. This will not affect the lawful ness of our processing based on your consent prior to its withdrawal.

12.3

If you would like to exercise any of your rights or find out more, please contact us via the methods set out in section 11.