Our Privacy Notice: How Hodge uses your personal information
This privacy notice sets out how Hodge Bank Limited (“we” or ”us”) and our group entities (as set out below) use your personal data and it applies whenever you engage with us, sign up to a product with us or use one of our websites (as set out below).
In this notice we set out how we use the personal data that you tell us about yourself, that we learn from you by having you as a customer, and the choices that you have about what marketing information you want to receive from us. This notice also tells you about your privacy rights and how the law protects you.
We may update or change this notice from time to time. If we change this notice, then we will post the changes on this page and place notices on other pages of our websites to notify you that this has changed. This notice was last updated in October 2019.
Who are Hodge?
Hodge is made up of a number of different legal entities. We’ll let you know which entity you have a relationship with, when you take out a product or service with us.
This notice applies to all of our legal entities. The relevant Hodge entity acts as a controller of the personal information that it collects from you.
Future changes to this notice
We may change this privacy notice occasionally to reflect changes in the law, as well as our privacy practices. While we encourage you to check this notice on our websites regularly, we will notify you should any substantial changes take place.
Data Protection Officer (DPO)
You can get in touch with Data Protection Officer in the following ways:
Post: One Central Square, Cardiff, CF10 1FS
Our Privacy Promise to you
- To keep your data safe and private.
- To not sell your data to any third parties unless required as part of the service we offer to you.
- To give you ways to manage and review your marketing choices at any time.
- To not send your data outside of the UK or the European Economic Area without adequate safeguards in place.
- To protect any data we hold about children.
- To have extra precautions in place to secure sensitive data we hold about you.
- To notify you of any data breaches as necessary.
A summary of the General Data Protection Act
The General Data Protection Regulation (GDPR) 2016 and the Data Protection 2018 set out the law about how organisations are allowed to use personal data. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that they are aware of how their personal data is processed.
The laws above apply to the processing of personal data wholly or partly by electronic means (i.e. by computer) and to the processing of personal data other than by electronic means (i.e. paper records).
How does the data protection law protect me?
The above laws give you a number of rights in respect of the personal data that we collect from you and how we are allowed to use it.
In particular it gives you the rights set out in the “My Rights” section later in this notice.
It also provides that we are only allowed to use personal data if we have a lawful basis to do so. We set out what we do with the personal data we collect and our lawful basis for doing so in the section headed “How does Hodge collect and use my personal data”.
What does personal data mean and what types of personal information are included?
‘Personal data’ means any information that enables a person to be directly and/or indirectly identified in both electronic and physical formats.
In order to carry out our work with you, we collect many types of personal information as listed:
|Type of personal information||Description|
|Financial||Your financial position, status and history.|
|Contact Details||Where you live and how to contact you.|
|Socio-Demographic||This includes details about your work or profession, nationality, education and where you fit into general social or income groupings.|
|Transactional||Details about payments to and from your accounts with us.|
|Contractual||Details about the products or services we provide to you.|
|Behavioural||Details about how you use our products and services.|
|Technical||Details on the devices and technology you use including ‘Cookies’ on which we set out more information below.|
|Communications||What we learn about you from letters, emails and conversations between us.|
|Open Data and Public Records||Details about you that are in public records, such as the Electoral Register, and information about you that is openly available on the internet.|
|Documentary Data||Details about you that are stored in documents in different formats, or copies of them. This could include things like your passport, driver’s licence or birth certificate.|
|Special types of data||The law and other regulations treat some types of personal information as special. We will only collect and use these types of data if the law allows us to do so:
|Consents||Any permissions, consents or preferences that you give us, such as marketing you opt-in to.|
|National Identifier||A number or code given to you by a government to identify who you are, such as a National Insurance number.|
Where does Hodge get my personal information from?
There are a number of places where we obtain your personal information:
Data you give to us:
- When you apply for our products and services
- When you talk to us on the phone
- When you use our websites
- In emails and letters
- In financial reviews and interviews
- In customer surveys
Data we collect when you use our services. This includes the amount, frequency, type, origin and recipients:
- Payment and transaction data.
- Profile and usage data. This includes the profile you create to identify yourself when you connect to our internet services. It also includes other data about how you use those services. We gather this data from devices you use to connect to those services, such as computers and mobile phones, using cookies and other internet tracking software.
Data from third parties we work with:
- Companies that introduce you to us
- Financial advisers
- Card associations
- Credit reference agencies
- Fraud prevention agencies
- Payroll service providers
- Land agents
- Public information sources such as Companies House
- Agents working on our behalf
- Government and law enforcement agencies.
What basis does Hodge use to process my personal data?
We will only process your personal data when we have a ‘lawful’ basis to do so:
- To fulfil a contract we have with you, or because you have asked us to process your personal data to support entering into a contract.
- When it is our legal duty to do so, for example where we are required to comply with money laundering regulations.
- When it is in our and your legitimate interest, for example, tailoring our service to meet your specific needs. Where you have expressly provided consent to undertake a specific activity.
- Where we perform a task in the public interest, for example sharing fraudulent information with relevant bodies.
- Where the legitimate interest has a sound business reason and we are processing your information in a way that is ‘best for you’.
How does Hodge collect and use my personal information?
Here is a list of all the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are.
|What we use your personal data for:||Our lawful basis for doing so:|
|• To deliver our products and services
• To make and manage customer payments
• To manage our relationship with you or your business
• To manage fees, charges and interest due on customer accounts
• To collect and recover money that it owed to us
• To manage and provide treasury and investment products and services
|The performance of a contract with you or in order to take steps at your request prior to entering into that contract.
Where we are not doing these things to perform our contract with you, we may, subject to your rights under the “My Rights” section, process your personal data to do these things in our legitimate interests of:
• providing banking services and products to you in an efficient way;
• developing new products and services and what we charge for them;
• keeping our records up to date, working out which products or services may be of interest to you;
• developing and improving how we deal with financial crime, as well as doing our legal duties in this respect.
|• To develop new ways to meet our customers’ needs and to grow our business;
• To develop and carry out marketing activities;
• To study how our customers’ use products and services from us and other organisations;
• To provide advice or guidance about our products and services;
• To develop and manage our brands, products and services
• To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, corporate governance and audit;
• To communicate with you and provide updates to you on our products and services;
• To operate, administer, maintain, provide, analyse and improve our websites and the services available through the website;
• To investigate and address any comments, queries or complaints made by you regarding the website, and any similar or related comments, queries or complaints from other users.
|Subject to your rights set out below under the ‘My Rights’ section, we do these things in our legitimate interests of:
• providing banking services and products to you in an efficient way including by way of information via a website;
• developing new products and services and what we charge for them;
• keeping our records up to date, working out which products or services may be of interest to you;
• developing and improving how we deal with financial crime, as well as doing our legal duties in this respect.
|• To respond to or investigate complaints that you may make.||We do this to comply with laws and regulations to which we are subject.
We may also do this to manage risk for our customers because of our legal obligations and also because it is in our legitimate interests as a bank to do so (subject to your rights set out under the ‘My Rights’ section below).
|• To conduct anti-money laundering searches; conduct credit searches;
• To detect, investigate, report and seek to prevent financial crime;
• To manage risk for our customers;
• To obey with other laws and regulations that may apply to us and the running of our business.
|We do this to comply with laws to which we are subject.
We may also report crimes and suspected crimes where it is in the public interest to do.
|• To communicate with you for marketing purposes||Where we have asked for your consent to do this and have informed you that we will only market to you on the basis of this consent, then we are relying on consent to do this.
If we have not asked for your consent, then we may still send marketing information to you. We send these marketing communications based on our legitimate interests of providing banking services and information that may be useful to you.
The method of communication may vary as set out below:
— we will only contact you via your personal email address for marketing purposes if: (i) you have given your consent (see ‘Marketing and opting out’ below);or (ii) you have previously bought goods and services from us and we are contacting you to let you know about similar goods and services that we offer (see ‘Marketing and opting out’ below). You have the right at any time to let us know that you no longer wish to receive marketing communications from us.
You can withdraw your consent at any time. Please contact us if you want to do so by writing to the Data Protection Officer.
If we are processing your personal data on the basis of your consent and you withdraw your consent, then we stop the relevant processing and we may not be able to provide certain products or services to you. If this is the case, we will tell you.
What personal data do you use for marketing purposes?
We may use your personal data to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.
The personal data we have for you is made up of what you tell us, and data we collect when you use our services, or from third parties we work with.
We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
As set out above, we will only use your personal data to send you marketing messages if we have either your consent or a ‘legitimate interest’ i.e. when we have a business or commercial reason to use your information and we are doing it in a way that is best for you.
You can ask us to stop sending you marketing messages by contacting us at any time.
Whatever you choose, you’ll still receive statements, and other important information such as changes to your existing products and services.
We may ask you to confirm or update your choices if you take out any new products or services with us in future. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.
If you change your mind you can update your choices at any time by contacting us.
Do you ever share my personal information with third parties?
We may share your personal information with third parties working with us in order to carry out our work for you or with third parties to whom we choose to sell, transfer or merge parts of our business or assets. Those who we share data are set out below:
- Agents and advisers who we use to help run your accounts and services, collect what you owe, and explore new ways of doing business
- Hodge approved service providers in relation to this application;
- Other members of the Group to which the Bank belongs, including its subsidiaries and associated companies;
- Regulators or authorities where required or permitted by law.
- HM Revenue & Customs, regulators and other authorities.
- UK Financial Services Compensation Scheme.
- Credit reference agencies.
- Fraud prevention agencies.
- Any party linked with you or your business’s products or services.
- Companies we have a joint venture or agreement to co-operate with
- Independent Financial Advisors
- Companies you ask us to share your data with.
We may need to share your personal information with other organisations to provide you with the product or service you have chosen:
- If you use direct debits, we will share your data with the Direct Debit scheme.
- If you have a secured loan or mortgage with us, we may share information with other lenders who also hold a charge on the property.
If you require more information on who we send your personal data to we will provide this on request.
Transfers of data outside of the UK and EEA
From time to time we may need to transfer your personal data to countries outside the United Kingdom or European Economic Area, which comprises the EU member states plus Norway, Iceland and Liechtenstein (“EEA”). Non-EEA countries that we may need to transfer your personal data to include the United States of America.
Such countries may not have similar protections in place regarding protection and use of your personal data as those set out in this Policy. Therefore, if we do transfer your personal data to countries outside the EEA we will take reasonable steps in accordance with applicable laws to ensure adequate protections are in place to ensure the security of your personal data including:
— use of approved contractual clauses;
— ensuring that we only transfer your personal data to persons or entities that are appropriately authorised and/or accredited to process personal data in compliance with applicable laws;
— By submitting your personal data to us in accordance with this notice you consent to these transfers for the purposes specified in this notice.
What are automated decisions and how do you use them in relation to my personal data?
Automated decision are decisions using your personal data undertaken by automated means. We sometimes use systems to make automated decisions based on personal information we have – or are allowed to collect from others – about you or your business.
This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the products, services or features we may offer you now or in the future, or the price that we charge you for them.
Here are the types of automated decision we make:
|Pricing||We may decide what to charge for some products and services based on what we know.|
|Tailoring products and services||We may place you in groups with similar customers. These are called customer segments. We use these to study and learn about our customers’ needs, and to make decisions based on what we learn. This helps us to design products and services for different customer segments, and to manage our relationships with them.|
|Detecting fraud||We use your personal information to help decide if your personal or business accounts may be being used for fraud or money-laundering. We may detect that an account is being used in ways that fraudsters work. Or we may notice that an account is being used in a way that is unusual for you or your business. If we think there is a risk of fraud, we may stop activity on the accounts or refuse access to them.|
|Opening accounts||When you open an account with us, we check that the product or service is relevant for you, based on what we know. We also check that you or your business meets the conditions needed to open the account. This may include checking age, residency, nationality or financial position.|
Do I have any rights in relation to the way automated decision are made?
Yes, you have rights over automated decisions:
- You can ask that we do not make our decision based on the automated score alone.
- You can object to an automated decision, and ask that a person reviews it.
If you want to know more about these rights, please contact us by emailing firstname.lastname@example.org .
We use some external bodies to undertake automated decisioning. For example:
Credit Reference Agencies (CRAs)
We carry out credit and identity checks when you apply for a product or services for you or your business. We may use Credit Reference Agencies to help us with this.
If you use our services, from time to time we may also search information that the CRAs have, to help us manage those accounts.
We will share your personal information with CRAs and they will give us information about you. The data we exchange can include:
- Name, address and date of birth
- Credit application
- Details of any shared credit
- Financial situation and history
- Public information, from sources such as the electoral register and Companies House.
We’ll use this data to:
- Assess whether you or your business is able to afford to make repayments
- Make sure what you’ve told us is true and correct
- Help detect and prevent financial crime
- Manage accounts with us
- Trace and recover debts
- Make sure that we tell you about relevant offers.
We will go on sharing your personal information with CRAs for as long as you are a customer. This will include details about your settled accounts and any debts not fully repaid on time. It will also include details of funds going into the account, and the account balance. If you borrow, it will also include details of your repayments and whether you repay in full and on time. The CRAs may give this information to other organisations that want to check credit status. We will also tell the CRAs when you settle your accounts with us.
When we ask CRAs about you or your business, they will note it on your credit file. This is called a credit search. Other lenders may see this and we may see credit searches from other lenders.
If you apply for a product with someone else, we will link your records with theirs. We will do the same if you tell us you have a spouse, partner or civil partner – or that you are in business with other partners or directors.
You should tell them about this before you apply for a product or service. It is important that they know your records will be linked together, and that credit searches may be made on them.
CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other.
You can find out more about the CRAs on their websites, in the Credit Reference Agency Information Notice. This includes details about:
- Who they are
- Their role as fraud prevention agencies
- The data they hold and how they use it
- How they share personal information
- How long they can keep data
- Your data protection rights.
Here are links to the information notice for each of the three main Credit Reference Agencies:
Fraud Prevention Agencies (FPAs)
We may need to confirm your identity before we provide products or services to you or your business. Once you have become a customer of ours, we will also share your personal information as needed to help detect fraud and money-laundering risks. We use Fraud Prevention Agencies to help us with this.
Both we and fraud prevention agencies can only use your personal information if we have a proper reason to do so. It must be needed either for us to obey the law, or for a ‘legitimate interest’.
A legitimate interest is when we have a business or commercial reason to use your information. This must not unfairly go against what is right and best for you.
We will use the information to:
- Confirm identities
- Help prevent fraud and money-laundering
- Fulfil any contracts you or your business has with us.
We or an FPA may allow law enforcement agencies to access your personal information. This is to support their duty to detect, investigate, prevent and prosecute crime.
FPAs can keep personal information for different lengths of time. They can keep your data for up to six years if they find a risk of fraud or money-laundering.
The information we use
These are some of the kinds of personal information that we use:
- Date of birth
- Residential address
- History of where you have lived
- Contact details, such as email addresses and phone numbers
- Financial data
- Data relating to your or your businesses products or services
- Employment details
Automated decisions for fraud prevention
The information we have for you or your business is made up of what you tell us, and data we collect when you use our services, or from third parties we work with.
We and FPAs may process your personal information in systems that look for fraud by studying patterns in the data. We may find that an account is being used in ways that fraudsters work. Or we may notice that an account is being used in a way that is unusual for you or your business. Either of these could indicate a possible risk of fraud or money-laundering.
How this can affect you
If we or an FPA decide there is a risk of fraud, we may stop activity on the accounts or block access to them. FPAs will also keep a record of the risk that you or your business may pose.
This may result in other organisations refusing to provide you with products or services, or to employ you.
What happens if I choose not to give you my personal information?
We may need to collect personal data by law, or under the terms of a contract we have with you.
If you choose not to give us this personal data, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product or service you have with us.
Any data collection that is optional would be made clear at the point of collection.
How long will you keep my personal information?
We will keep your personal data for as long as you are a customer of Hodge.
After you stop being a customer, we may keep your data for up to 12 years for one of these reasons:
- To respond to any questions or complaints.
- To show that we treated you fairly.
- To maintain records according to rules that apply to us.
We may keep your data for longer than 12 years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.
Once we no longer need to keep your data and we have no legal or technical reason for keeping your data we will delete it or irreversibly encrypt it.
Under certain circumstances, you have rights under data protection laws in relation to your personal data, these rights are detailed in the sections below. If you wish to exercise any of these rights, please contact us.
- What we may need from you:
You will not have to pay a fee to access your personal data or exercise any of your rights but we may need to request specific information from you to help us confirm your identity to ensure your rights to access your personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you for further information in relation to your request to speed up our response.
However, please note that we may charge a reasonable fee if your request to access your data or exercise any other of your rights, if your request is clearly unfounded, excessive or repetitive. Alternatively, we could refuse to comply with your request in these circumstances.
- Time limit for us to respond
We will try to respond to all legitimate requests within one month occasionally it could take longer than a month if your request is particularly complex or you have made number of requests. In this case, we will notify you and keep you updated.
My right to request access:
You can access your personal data that we hold by submitting a Subject Access Request by writing to or emailing the Data Protection Officer.
My right to request correction:
You have the right to ask us to correct any personal data we hold about you that you think is wrong or incomplete. Please contact us if you want to do this. If you do, we will take reasonable steps to check its accuracy and correct it.
My right to request erasure:
You have the right, in certain circumstances, to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where we have successfully exercised your right to object to the processing or where we may have processed your information unlawfully or where we are required to erase your data to comply with local law. Please note, however, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you if applicable, at the time of your request.
My right to object to processing:
You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel that it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
My right to restrict processing:
You have the right to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful, but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
My right to request a transfer:
You have the right, in certain circumstances, to request the transfer of your personal data to you or a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. For more information please see the section above headed ‘Do I have any rights in relation to the way automated decision are made?’.
My right to withdraw consent at any time:
Where we are relying on consent to process your personal data you have the rights to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
How can I complain if I am not happy?
We hope that we can resolve any query or concern you may raise about our use of your personal information. Please let us know if you are unhappy with how we have used your personal information. You can contact us by writing to or emailing the Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office. Find out how to on their website https://ico.org.uk/concerns/.