Your right to privacy is important to us. We know that your personal data belongs to you and not to us. That’s why we take the security of your information seriously and have strict policies and processes in place to ensure it is kept private and safe.
This privacy notice describes the way we collect your information, how we use it and why.
Who we are
Iceberg is part of Paragon Banking Group (the Group).
The Group is made up of many different legal entities. The letterhead we use when we write to you will let you know which entity you have a relationship with.
More information on the Group can be found at www.paragonbankinggroup.co.uk.
Where we use the term ‘we’ in this notice we mean the relevant member of the Group who is processing your personal information.
The entity you have a relationship with will be the controller of any personal information you provide to us. The Group’s Company Registration number is 2336032 and its registered address is 51 Homer Road, Solihull, B91 3QJ.
If you have any queries about how your personal information is used by us, which are not answered in this notice, please contact the Data Protection Officer (DPO) 51 Homer Road, Solihull, B91 3QJ or email [email protected].
What is personal data?
Personal data is considered to be any information that either alone, or in combination with other information, would identify you as a living individual. For example, your name and date of birth.
How do we collect your information?
The type of loan or other product you have with us will dictate how your personal information is collected.
Personal information may be provided to us by;
- You or a third party
And may be provided;
- by telephone
- within paper correspondence
When applying for a product or service we will ask you to provide some information about yourself for security, identification and verification purposes.
When completing any forms, we will always tell you how your information will be used in relation to the product or service you are applying for within the declaration and in any associated terms and conditions.
When you provide any information about others (eg for a joint account) you must ensure that you have their consent or are otherwise entitled to provide the information to us.
If you are an introducer of business, the information provided in this notice also explains how we manage your personal data, as well as any business you provide.
We may monitor or record phone calls with you to ensure we have carried out your instructions correctly, to resolve queries or issues, to improve our quality of service, for regulatory purposes and to help prevent or detect fraud or other crimes. We also record conversations for employee training purposes.
You can visit our website without telling us who you are or revealing any information about yourself. When we ask you for personal information online it will only be in response to you applying for, or using, one of our online products or services.
We will not use information and/or any statistical analytics tool to track or collect any personally identifiable information about visitors to our site.
What personal data do we process?
We may process the following personal information;
- Account Number
- Full name
- Date of birth
- Address (both security and residential)
- Address history
- Country of birth
- National Insurance Number
- Tax details such as tax reference numbers
- Any User ID you may provide or create
- Any password you may provide or create
- Memorable Information (provided to us to in some instances to be used as a security check for account access)
- Employment details
- Corporate Directors – position within the company
- Contact details, including phone number and email address
- Bank account number
- Sort Code
- Third party reference numbers
- Passport information
- Vehicle details
- Driving licence information
- Device ID including IP addresses
- If you have requested a third party act on your behalf, the name and contact details of this party
Throughout the life of your account, you may provide the following information to us:
- Your racial or ethnic origin
- Political opinions
- Your religious or philosophical beliefs
- Trade union membership
- Data concerning your health
- Data concerning your sex life or sexual orientation
These pieces of information are considered to be special categories of data. We will only record them if they are relevant to the management of your account (for example, if you have a medical condition which means you require a bespoke communication approach) and we will not record this information without your explicit consent. You are able to withdraw this consent at any time, just get in touch.
On what basis are we allowed to process your personal data?
Under Data Protection law we are only allowed to process your personal data if we have a proper reason to do so. This includes sharing it outside the Group. The law allows us to process your data for one or more of the following reasons;
- to fulfil a contract we have with you
- when it is our legal duty
- when it is in our legitimate interest
- when you consent to it
A legitimate interest is when we have a business or commercial reason to use your information. This reason must not unfairly go against what is right and best for you.
The table below shows the ways we may use your personal information and why;
|What we use your personal information for||The reason/s why we can use your personal information|
Who do we share your personal data with and why?
We may share your personal information with the following third parties;
- with your employer(s), landlord, accountant, banker, current and previous lenders and HMRC to request information from them so that we can assess whether you meet the eligibility criteria if you have applied for a mortgage or loan
- with businesses who may process data on our behalf as part of a contract
- with our insurers for insurance purposes
- with valuers and other organisations involved in the provision of valuation services to enable them to carry out valuations of your property
- if you use Direct Debits, with the Direct Debit Scheme
- with third parties to whom your mortgage, loan or account is, or may be, assigned or transferred
- with credit reference agencies (CRAs) to carry out credit checks and record details of your repayment history. The CRA’s have drafted a notice called ‘Credit Reference Agency Information Notice’ (CRAIN) which sets out how your data will be processed by TransUnion, Equifax and Experian. Please go to https://www.equifax.co.uk/crain.html, https://www.transunion.co.uk/crain or http://www.experian.co.uk/crain/index.html to read the notice and https://www.experian.co.uk/legal/bi-compliance-and-risk-privacy-notice/index for the full Experian privacy notice
- the credit reference agencies we normally use are:
• Equifax Ltd, Customer Services Centre, PO Box 10036, Leicester LE3 4FS
• Experian, Consumer Help Service, PO Box 8000, Nottingham, NG1 5GX
• TransUnion, 1 Park Lane, Leeds, LS3 1EP
- If you are a Limited Company Director, in addition to the above we may also share your information with Creditsafe. They can be contacted at Bryn House, Caerphilly Business Park,
- Van Road, Caerphilly, CF83 3GR
- If you would like to see the information that these credit reference agencies hold about you, please contact them directly; they will be able to explain how you may progress your request and any charges that may apply.
- with fraud prevention agencies (including the National Crime Agency, Action Fraud and the Home Office) to protect us from fraud and money laundering. We may also pass information to financial and other organisations involved in fraud prevention including law enforcement agencies who may also access and use this information to detect, investigate and prevent crime. The Fraud Prevention Agencies we typically use and their contact details are as follows:
• Synectics Solutions - https://www.synectics-solutions.com/data-sar
• National Hunter - [email protected]
• RiskNarrative – Global Reach, Dunleavy Drive, Cardiff, CF11 0SN
We may decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. If you give false or inaccurate information and we suspect fraud we will record this. Please go to https://www.cifas.org.uk/fpn to read the Cifas privacy notice in full
- with identification checking agencies who will carry out electronic identity checks on you and who will record details of the check, regardless of whether your application proceeds
- with third parties where we are legally required or permitted to do so, for example for crime prevention purposes or to protect our right or the rights of our group companies, employees or customers
- with regulators, government and public sector agencies as and when required and where a lawful basis for the transfer of personal data exists
- if you have a mortgage or second charge mortgage with us, we may share information with other lenders who also hold a charge on the property
- with regulatory bodies where we are required to do so for legal and regulatory purposes for example, the Financial Services Compensation Scheme (FSCS)
- if we buy or sell any business or assets we may share your information with the prospective seller or buyer of the business or assets. If we go through a corporate merger, consolidation, sale of assets or other corporate change, we may also pass your information on to the buyer or our successors in business to ensure they can continue to operate the business effectively or make full use of the assets sold.
- If you would like to know which specific third parties process data on our behalf, please contact our Data Protection Officer (DPO) 51 Homer Road, Solihull, B91 3QJ or email [email protected].
Possible consequences of us processing your personal data
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, finance or employment to you. If you have any questions about this, please contact us.
From time to time we may make you aware of products or services which are similar to the ones you currently hold with us that may be of interest to you. We will only do this if we consider this type of processing to be a legitimate business interest You are able to get in touch and ask us to stop sending you these messages at any time. If you chose not to receive marketing information you will still receive important information about your product or service.
How long will we keep your personal information?
We will keep your personal information for as long as you are a customer of Paragon Banking Group. After you stop being a customer we may keep your data for up to 12 years for one of these reasons;
- to respond to any questions or complaints
- to show that we treated you fairly
- to maintain records according to our regulatory and statutory obligations
We will keep your data for longer than this if we cannot delete it for legal, regulatory or technical reasons. We will also keep it for research, fraud prevention, money laundering, capital, liquidity, risk, statistical analysis and business forecasting purposes. When this happens, we will make sure that your privacy is protected and we will only use it for these purposes.
You or a third party may send information to us as a prospective customer. If you do not have any products that are suitable for you, or you decide not to proceed with your application for any reason, we will store the personal information provided to us for no longer than two years.
Fraud prevention agencies can hold your personal data for different periods of time and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. In some cases, Paragon may hold your data for an indefinite period.
Your information rights
You have various rights in terms of how and why your personal data is processed. Please contact us at any time if you wish to exercise these rights:
- You have the right to rectify and correct inaccurate or out of date information at no extra cost
- You may be able to request the deletion or removal of personal data where there is no compelling reason for its continued processing. You don’t have an absolute ‘right to be forgotten’ but we will consider the request in specific circumstances
- You have the right to ask us not to use your information for marketing purposes and to ask us to stop sending you marketing communications
- You have the right to restrict and/or object to certain processing, providing it meets the requirements set out in law
- You have the right to obtain human intervention if contesting a decision based on any automated decision-making means. For example, before offering you a loan, we may carry out an automated credit search. CRA’s provide us with data and analytics that may help us with this search and our own data, knowledge, processes and practices will also play a significant role in our decision to lend. If you contest the automated decision, we are able to carry out a manual review of your data. However, this may not change the outcome of the initial automated decision and this may still result in you being refused a product or service
- You have the right to move, copy or transfer personal data. If we are processing data to perform our obligations to you, or because you consented, if that processing is carried out by automated means, we will help you to move, copy or transfer your personal data to other IT systems. If you request, we will supply you with the relevant personal data in a format which is readily accessible by most IT systems
- You have a right to access the personal information that we hold about you. We won’t charge you for this request, however, we may charge a reasonable fee if your request is largely unfounded or if you make repeated requests. Please make your request to the team that services your account. If you require a specific document please make this clear. Telephone calls will not be provided as standard as not all departments will record their calls. If you require a specific conversation, please provide as much detail as possible to enable us to locate this on your behalf
Transfer of your personal information overseas
Some or all of your personal information may be transferred to, stored or processed by service providers of ours located in countries outside the UK.
In these circumstances we will take the necessary steps to ensure that the transfer of your data is in line with UK data protection requirements and that your information is treated securely and protected to a similar standard. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests.
If we do transfer information outside of the UK, we will make sure that it is protected in the same way as if it was being used in the UK.
We may put in place the approved standard contractual clauses (as approved by the UK and European Commission) which constitute appropriate measures to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the European Union (EU) and UK laws on data protection.
If you are an Expatriate, due to the nature of the product you have chosen, a set of transfers of your information to countries outside of the UK may be required. Our lawful basis for these transfers is because they are necessary to implement precontractual measures and for the performance of a contract between you and Paragon.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area (EEA), they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. For further information please contact the fraud prevention agencies listed within this notice.
If you chose not to give personal information
We may need to collect personal information by law, under the terms of a contract we have with you. If you chose not to give us this personal information it may delay, or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts. It could mean that we cancel a product or service that you have with us.
If you wish to complain about how we have treated your personal data, please contact the complaints team within your usual servicing department to discuss your concerns.
You may also refer your concerns to the Information Commissioner’s Officer (ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
Phone: 0303 123 1113
Writing: Information Commissioner’s Officer, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Changes to our notice
This notice was last updated in January 2023.