This Privacy Notice provides all the need-to-know info on how we collect, use and keep your info as a personal banking customer and/or an important person within the organisation of a business banking customer.Just so you know, an important person can include a sole trader, proprietor, director, company secretary, shareholder, partner, member, committee member, trustee, controller, beneficial owner or authorised signatory to the business account.
As a personal or business banking customer, we take your privacy seriously. Here, you can learn more about your data protection rights and how we collect, use, share and store your personal info.
That includes info we already hold about you now and further personal info we might collect about you, either from you or someone else. How we use your personal info depends on the accounts and relationship you have with us.
Our Data Protection Officer (DPO) provides help and guidance to make sure we protect your personal info and we use it in the right way. If you have any questions, you can contact our DPO (see section 13 “Getting in touch”).
This Privacy Notice will replace any previous notice we’ve given you. If we make any important changes to it we’ll get in touch to let you know.
When we say ‘Group’ we mean Virgin Money UK PLC, Clydesdale Bank PLC, each subsidiary or holding company of Virgin Money UK PLC. You can find out more about the companies within the Group in the Legal and Privacy section here.
The following are the ‘data controllers’ within the Group that collect and use personal info. When we say ‘we’ or ‘us’ in this notice we are referring to:
By ‘info’, we mean all the personal and financial details we collect, use, share and store. The info we keep will change depending on the account and relationship you have with us. It can include but isn’t limited to:
In section 6, there’s more on how we use this info.
Sometimes, we ask for your info as we need it to provide the product or service you’ve asked for or to do something the law requires us to do (like check you are who you say you are). Without that info we’ll not be able to provide some products or services requested.
For Credit Card Accounts, Loan Products and Mortgage Products, we need info on your finances. This includes:
To provide Financial Management Services and products that include Travel Insurance, we may need to use any health info, which we will ask for.
We collect info directly from you and others.
We get info:
We also get info from:
We’ll also look at and combine the info collected (sometimes automatically) to understand how you use your account and our services. It also helps us understand what you may like and do. We may create a profile of you to help us predict your financial behaviour and what you prefer before offering services to you (‘profile info’).
Some of our products and services need you to allow third parties to share info with us. This may be combined with other info we hold and have analysed so we can provide that product or service. Please check out section 5 “"Why we need the information and what we use it for"” for more details.
Data Protection law means we need to have one or more of the following reasons for using your info:
These are the main ways we’ll use your info and the reasons for doing so:
The law requires that we must check the identity of new customers and for business customers the verification of key individuals of such customers. The law also requires us to re-check the identity of existing customers from time to time. This is so we know who our customers are and to make it more difficult for criminals to use false or impersonated identities, for criminal purposes like hiding the proceeds of crime or committing fraud. To check your identity, we’ll check the contact details and financial info you give us with credit reference agencies and against publicly available info. We’ll also check you’re eligible for the product or service we’re offering.
We’ll use your info to manage any account, product, service or relationship you have with us. This’ll be done in line with the terms of that arrangement and the rules of our regulators. Examples of this are:
To do this, we’ll use your contact details, the payment details you’ve given us and your location data to enable us to check locations where payments are made (this is to prevent fraud). If you’ve agreed to it, we’ll also use mobile location services and your IP address to identify you for security and to stop fraud.
We may also share this info with third parties who help us confirm your contact details and deliver our products and services – this could be our payment providers, subcontractors, service providers for ATMs and cash management and other banks and regulators.
We might use info to manage any business internet banking money management services provided to business banking customers. Our money management services use machine learning to give you forecasts and predictions:
We have a legitimate interest in only lending money to customers we think can pay it back. Our regulators also require us to lend money in a responsible way.
So, whenever you apply for credit (for example, a mortgage, credit card or overdraft) or any extra borrowing on a product you’ve taken out, we’ll use the info you give us and what we already know to work out the risk to us.
We’ll also get info from credit reference agencies to do credit scoring and/or other risk assessments of your application.
Credit scoring is an automated way of making fair and responsible decisions about lending money and managing your accounts. We use it to assess how you are likely to run your account and by using info from a range of sources it allows us to decide on whether we’re going to offer you a product or service or make any changes to any ones you have.
To calculate a credit score we use:
We’ll confirm where we’ve used credit assessment. If there’s been a change to your credit limit or interest rate based on our credit assessment process, you can ask one of our team to assess it again. For more info see the section ‘When we make automated decisions’ below.
See section 7 "Who we share info with",for more about sharing info with credit reference and fraud prevention agencies.
By law, we must review applications and monitor accounts. This helps us tackle threats from terrorists, money-laundering and other financial crimes. We also have a legitimate interest in avoiding losses caused by financial crime like fraud. We may share info with law enforcement agencies and other official bodies or government departments to comply with our legal obligations (like tax and immigration authorities).
We may also check and share info we’ve got about you – like your contact details and financial info – with fraud prevention agencies, credit reference agencies, law enforcement, other government agencies, different banks and regulators. This is to help stop financial crime and terrorism funding. To do that, we’ll use any info you’ve provided, as well as info we’ve got from a third party. We’ll also see how you use our services for more info.
This includes your name, address, date of birth, every country of residence/citizenship, personal identification (which may include passport or driving license number), your IP address and details of any criminal convictions. This might also include info about your location, which helps prevent crime and fraud.
We use your info in this way because it is necessary to perform our contract with you. It is also in our legitimate interest to recover any debts that are owed to us if there isn’t a plan in place to pay it back.
We’ll use your contact details and info we’ve got from seeing how you’ve used our services (including info about your location that we may find from reviewing your accounts). We’ll also use info available within the Group about how you’ve used services from other Group members.
To get a debt paid back, we’ll share info with and receive info from third parties where we have to. This might even include legal proceedings. Examples of third parties include other banks, debt recovery agents, solicitors, credit reference agencies and sheriff officer or bailiff services.
This might also include sharing info about you with a third party who we’ve moved your debt to e.g., securitisation. We’ll tell you who they are and they’ll contact you directly to collect that debt.
We have a legitimate interest in improving how we offer our services and the security of the computer systems we use. We also have to respond to any law changes or rules that affect how we protect the info, that we hold.
We may use your info to help us develop and test our systems, including new technologies and services. This is to make sure they’re safe and secure and will work the way we want them to. When we do this, we’ll use processes and technologies that are designed to keep this info secure.
The range of products and services we offer, including those from companies outside the Virgin Money UK PLC Group, changes all the time.
We have a legitimate interest in telling you about products, services and any new developments we think may interest you, where we’re allowed to. For some of our marketing, including letting you know about the products and services of other companies, we’ll ask for your permission first.
We don’t want to send on too much info or anything that’s not right for you, so we’ll use the info we already have, particularly profile info, to decide what we talk to you about. This includes telling business customers who meet certain scores that they may be able to apply for Sustainability Linked Loans.
You have the right to tell us at any time if you don’t want us to use your info in this way.
We’ll only get in touch in the ways you’ve said we can. For example, a phone call, text message or post. If you’ve said you don’t want to see any marketing, you won’t. You can opt in or out at any time to marketing by contacting us in the usual way see "Getting in touch" for our contact details).
We might get info about you from a third party to help us market our products and services to you. But we’ll only do this if you’ve given them permission to share your info with us.
We might also ask you for permission to show marketing from Virgin Red as part of your Virgin Money Wallet app, both inside the app and in push notifications.
We may also get your name and address from other companies to help us offer services that are right for you. Our manual or automated processes analyse this info to decide what products and services to offer to you and to prioritise the marketing messages you receive.
We do this by:
We may also get info telling us if you’ve opened or clicked on an email, the type of device you’re using and your general location when you opened the email.
Our service providers will help us with these marketing activities. The partners we give your info to might use it for marketing profiling.
Sometimes we work with other companies to offer you the best products and services. We’ll sometimes share your information with our partners, and get info about you too, to make sure that we give you the best, most relevant offers when we market to you (if you have given permission).
We have a legitimate interest in running our business as well as possible while also sticking to our legal and regulatory responsibilities to the UK financial system.
Therefore, we may use your financial info, including how you’ve used our products and services, for the following reasons:
We may pass your info to market research companies and others who help us with these activities.
Sometimes, we’ll use artificial intelligence to help us understand trends, behaviours and predict general patterns. For example, to see how well our marketing is doing.
We may also use your info for other things you’ve agreed to, as well as some situations where the law asks or requires us to.
We have an interest as well as a legal duty to support vulnerable customers. That’s why we’ll use any info you give us, and what we can see from your transactions, that might show a vulnerability. For example, a health condition or money worries.
We’ll also use info we get about vulnerable customers from other members of our Group if we need to protect their interests. Plus, we’ll give info to third parties about vulnerability to meet our legal duties. This might be to the police, social services or someone acting on your behalf.
We’ll give info to and get info from third party independent financial advisers and mortgage brokers who’ve introduced you to us.
This is so we can provide products and services to you and manage our relationships with those third parties, including paying any fees.
To do this, we’ll use info about the general nature of the products and services, as well as info about the value of those products and services.
To provide you with mortgage products and some insurance products, as well as the info already listed above, we’ll need to use extra info about your needs and situation. This is to make sure the products and services are right for you.
For mortgages, this’ll include info about your income and spending, assets and liabilities and your planned retirement age.
For life and critical illness, this’ll include your date of birth, if you smoke or not and details of current policies. Plus, info about how you’ve used other products and services offered by us or other Group members. This will include previous claims under any current policies you have with us, as well as with other providers.
We might share all the info we use with third parties who help us to give the best advice possible. These third parties include credit checking and fraud prevention agencies and our insurance provider partners.
We use your info like this because it’s in both of our interests for you to get advice about the right products and services. It’s also so we stick to the rules of our regulators.
When we make automated decisions
We sometimes use computers to make decisions. We do this when:
When we make automated decisions, we look at look at how you’re likely to run your account, using info from a range of sources (See section 4 "Where we get the info from". Where we make automated decisions you can always ask for a member of the team to review the outcome.
Special protection is given to special categories of info and criminal offence info.
We’ll only use special categories of info if we have one or more of the following additional reasons for using your info:
We’ll only use criminal offence info where the law allows us to for example for the purposes of preventing or detecting crime.
We use the following special categories info for the reasons below:
Some of our accounts use facial and other biometric recognition technology to help customers prove their identity when opening accounts. We’ll ask for your permission when setting this up.
By observing how you interact when using your device for example, the use of your keyboard, mouse and/or the way in which you hold your device, this is called “behavioural biometrics”. We also use behavioural biometrics to confirm your identity when you shop online with your debit or credit card. Behavioural biometrics is the use of machine learning to analyse patterns. This helps us stop fraud by making sure the person using the card is who they say they are.
We may ask you about your racial and ethnic background as we need to make sure everything is fair and equal when it comes to the service we offer.
We may use info about criminal proceedings relating to you when deciding to lend money to you, to help us prevent and detect financial crime and to fulfil our legal/regulatory obligations.
Sometimes the transactions in your bank accounts will reveal special categories info (like your political opinions, health status, religious beliefs and trade union membership), depending on payments you make and receive. This info may be processed by us to provide account payment services to you and will not be used for any other purpose.
We treat all the info we hold as confidential. We may share your info with other people or companies, who are also required to keep the info confidential, safe and secure. For example:
We may also share information we hold with the following types of organisation:
To assess an application for a product or service we’ll perform identity checks on you with one or more credit reference agencies (CRAs). Where you apply for credit, we’ll also perform credit checks on you with the CRAs. We may also make periodic checks with CRAs to manage your account with us.
To do this we’ll pass your information to CRAs and they’ll give us information about you. The information we’ll supply includes information from your application and your financial situation and history. CRAs will also supply us with public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We’ll continue to exchange info about you with CRAs while you have a relationship with us. We’ll also let them know about any accounts you’ve since paid off. If you don’t pay back your credit in full and on time, CRAs will record the debt. They may also let other organisations know.
When CRAs do a credit search they’ll place a footprint on your credit file that may be seen by other lenders and may affect your ability to borrow from them. If you’re making a joint application, or you tell us that you have a spouse or financial associate, we’ll link your records together, so you should make sure that they know what you’re doing and share this info with them before applying. For joint applications with a spouse or financial associate, CRAs will also link your records together. If you want to break this link, you’ll need to talk directly to the CRAs.
The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share info, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA Information Notice (CRAIN).
You can find out more about CRAs here:
We may also use TransUnion’s services for other reasons not mentioned in the CRA Information Notice (CRAIN). This is to help us with identification, verification and fraud prevention as well as other purposes.
You can learn how your data is used at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
The CRAs also work as fraud prevention agencies (FPAs). Just so you know, we’re also a member of CIFAS and National Hunter, which are both FPAs.
Before offering you a product or service, we may run some checks with the FPAs to help prevent and detect fraud and money laundering.
We’ll do this by giving FPAs your info, who’ll then give us info about you. This includes details in your application or info from third parties.
If we or an FPA believe you’re a fraud or money laundering risk, we may not offer you a new product or service. We might also stop the product or service you’re already using and share any info we get from a FPA with the CRAs.
A record of any fraud or money laundering risks will be kept by the FPAs. This may mean other companies won’t offer you services, finance or employment.
We and FPAs may also let law enforcement agencies use your info to detect, investigate and stop crime. For more details, please ask a member of staff or visit:
We may need to share your info outside the UK and EEA with others. This can include Group companies, service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not offer the same protection as in the UK and European Economic Area e.g. USA.
For example, if you have a credit or debit card with us, we’ll share what you’ve spent with the payment network e.g. Mastercard, who may use this info worldwide. In these cases, we’ll do everything we can to make sure your info is protected to UK standards.
This could be by only letting transfers take place with countries the EU Commission thinks offer enough protection for your info (an adequacy decision) or, we’ve put our own measures in place to make sure there’s enough security as set out by data protection law.
These measures include having recognised safeguards in place with our commercial partners, like carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators like the EU style model clauses or where our commercial partner is a signatory to a recognised and binding code of conduct. For more info about standard contractual clauses as shown by the ICO, check out ico.org.uk and search for ‘International Transfers’.
To learn more about how your info is used in countries outside the EEA, the adequacy decision for that country or the measures we’ve put in place, please get in touch with our Data Protection Officer.
The United Kingdom left the European Union on 31 January 2020. So, we’ll need to transfer your personal info to the UK and other areas outside of the EEA, so you can continue to use our products and services.
Moving your personal data from the EU to the UK will take place based on an adequacy decision by the European Commission in favour of the UK, or on the basis of protections which comply with EU GDPR. We’ll also need to continue to act in line with EU GDPR when we process your personal data.
We’ll continue to keep your data secure, but if you’ve got any questions about how we use your info or your data rights and our obligations as a Data Controller, you can speak to our EU representative. If you want to write, the address is The Data Warehouse at Keizersgracht 482, 1017EG, Amsterdam, Netherlands. You can also email them at email@example.com
If you’d like more info, you can contact our Data Protection Officer (see section 13 "Getting in touch.
How long we keep your information for depends on the products and services we deliver to you.
How long we keep your info for depends on what products and services you have with us. Just so you know, we won’t keep it any longer than we need to (see section 5 "Why we need the info and what we use it for" and section 6 "Why we need special categories info and what we use it for)").
This means we’ll continue to hold some info for a while after your account has closed or our relationship has ended. For example, where we need to for the regulator, for active or potential legal proceedings, to resolve or defend claims or for making remediation payments.
If you’d like more info, you can contact our Data Protection Officer (see section 13 "Getting in touch.
We’ll get in touch with you about products and services we are delivering using the contact details you’ve given us. This might be by post, email, text message, social media and notifications on our app or website.
Where you have given us permission to send you marketing, you can cancel it and update your marketing choices in Store, by calling us, via online banking or through the Virgin Money app.
You can also update your contact preferences in Store, by calling us or through the Virgin Money app.
Head to uk.virginmoney.com/virgin/contact for all the contact info you’ll need.
The law guarantees your rights about how we use your info.
We have told you about the ways in which we use the information we hold.
You can object to how we use your info. When this happens, we have up to one month to get back to you.
Remember, you can stop getting marketing communications at any time. Just get in touch in the usual way to let us know.
You always have the right to ask whether we hold info about you. If we do, you have the right to know:
You’re also allowed a free copy of the info. We can give it to you in person, online, over the phone, by email or by post.
We always want the info we have for you to be absolutely spot on (up to date and accurate). If any of it is wrong or out of date, let us know and we’ll fix it.
You can ask us to delete your info if you think we don’t need it anymore. This might be because:
When you ask for info to be deleted, we have up to one month to get back to you. If we don’t go ahead and do it, we’ll tell you why.
You have the right to get some of the info you gave us in a machine-readable format.
In certain situations, you can block or limit the use of info by us. This may happen where:
If you’re unhappy with how we’re using your info, please visit us in Store or at uk.virginmoney.com/contact.
If we can’t fix the issue, you can complain to the Info Commissioners Office (ICO). The ICO is the UK’s independent body set up to uphold your rights. You can find out more at www.ico.org.uk.
You can exercise any of your data protection rights by contacting us – (see section 13 "Getting in touch.
You can exercise any of your data protection rights (like accessing your personal data) by emailing us at DSARCCA.Queries@cybg.com.
If you’d like to contact our DPO you can email Data.firstname.lastname@example.org or write to The team at Virgin Money, Sunderland, SR43 4JB.