This is the privacy notice for British Business Investments Ltd, which has been written in accordance with UK data protection laws to explain what personal data we process and why.
Date last updated: 11 January 2024
1. Who we are
1.1 British Business Investments (“BBI”) is the trading name of British Business Investments Ltd, a wholly owned commercial subsidiary of British Business Bank plc (“British Business Bank” or “BBB”) registered in England and Wales, registration number 09091930, registered office at Steel City House, West Street, Sheffield S1 2GQ.
1.2 BBI is the controller for the Personal Data it processes and is registered with the Information Commissioner’s Office (reference no. ZA084020). BBI relies on BBB to provide core support services such as Finance, HR, IT, Legal, Procurement, Risk and Compliance, and Internal Audit. For more information about BBB, see the BBB privacy notice.
1.3 BBI, as a commercial subsidiary of the British Business Bank, aims to improve access to alternative finance for smaller businesses across the whole of the UK, while supporting the UK’s transition to a net zero economy and generating a return for the UK taxpayer. BBI works with the market to provide funding through our delivery partners. Our partners have investment programmes for a broad range of small and high growth businesses across sectors, regions, and business stages. Find out more about our objectives.
1.4 Neither BBI (nor any part of the British Business Bank’s Group) is a banking institution and does not operate as such and is not authorised or regulated by the Prudential Regulation Authority (PRA) or the Financial Conduct Authority (FCA). A complete legal structure chart for the British Business Bank’s Group is available here: Corporate information and subsidiary companies - British Business Bank (british-business-bank.co.uk).
1.5 For the purposes of this privacy notice, the terms:
“British Business Bank” means British Business Bank plc and other companies in the British Business Bank group (including without limitation, the Start Up Loans Company (registration number 08117656), British Business Finance Ltd (registration number 09091928), British Business Investments Ltd (registration number 09091930), British Patient Capital (registration number 11271076), and British Business Financial Services Ltd (registration number 09174621).
“Data Subjects” means the individuals whose Personal Data we process, which can be potential and actual applicants, loan recipients, delivery partner representatives, business contacts, etc.
“Delivery Partners” refers to a variety of finance providers to whom BBI makes financial commitments, who then provide debt or equity financing to smaller businesses. These delivery partners vary widely and include challenger banks, asset finance providers, fintech lenders, debt funds, angel networks and venture capital fund of funds managers.
“DBT” refers to the Department for Business and Trade.
“Personal Data” as defined in UK GDPR “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
2. Why we process Personal Data
2.1 BBI increases the supply of alternative finance for smaller businesses in the UK, by making financial commitments to Delivery Partners, who then provide debt or equity financing to smaller businesses. The tables below show BBI’s activities that process Personal Data, the types of Personal Data, the categories of data subject, and the lawful basis for processing.
2.2 We may collect and process the following Personal Data about you:
A. Information you provide to us.
No. | Purpose | Personal Data Processed | Lawful Basis |
---|---|---|---|
1 | Contacting Us (enquiries, complaints) | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. Data subjects: applicants, delivery partners, loan recipients, business contacts, suppliers, general public | Art. 6(1)(e) public task |
2 | Requesting information under the Freedom of Information Act or Data Protection Act | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. Data subjects: requestors | Art. 6(1)(c) legal obligation |
3 | Attending an event or workshop, collecting your business contact details, taking photographs or video of you | We may need your name, organisation, and contact details to book your place at an event. Where we chair panels or host events, we may ask guest speakers or participants to provide us with a short biography to include in programme materials. When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials. We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8). When we organise events, we may take photographs or video recordings at the venue. We will always tell you of our intention to create photos/ videos and give you the option to opt out of being photographed or filmed. These photos/videos may be used on the Bank’s webpage, social media channels or in printed/electronic reports we publish. These photos/videos may also be shared with and used by our official event partners. Data subjects: business contacts, delivery partners, loan recipients, suppliers, fund managers | Art. 6(1)(a) consent where the information you provide is optional Art. 6(1)(e) public task to achieve our objectives |
4 | Responding to a survey or market research | We usually need your name and contact details, especially if you want us to share the results. Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc. Data subjects: business contacts, delivery partners, loan recipients, fund managers, suppliers | Art. 6(1)(a) consent where the information you provide is optional Art. 6(1)(e) public task to achieve our objectives Art. 9(2)(a) consent where special category data is provided, e.g., ethnicity, health, etc. |
5 | Providing details for case studies | We need your name and contact details to develop the case study about your company’s experience. Data subjects: business contacts, delivery partners, loan recipients, investors, fund managers, suppliers, employees | Art. 6(1)(a) consent |
B. Information we collect or obtain through our programmes:
No. | Purpose | Personal Data Processed | Lawful Basis |
---|---|---|---|
1 | Request for Proposals for investment | We will process your Personal Data when you express an interest in one of our investment programmes (e.g. your name, contact details, company name, and role). If you proceed to the formal proposal and due diligence stages, we will also need to process information about your fund and fund management company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your company (e.g. partners, lead contacts, directors, shareholders/ ownership structures, and individuals with a controlling interest). At proposal stage, we will carry out KYC checks (See the Know Your Customer Due Diligence section below) Additionally, we may request business contact details for the senior management of companies as part of the process to obtain references about prospective Fund Managers, and the other Limited Partners in the round. We also collect information in respect of gender and diversity of our fund managers and investee companies. We will continue to process information throughout our relationship with the fund manager, which will include Personal Data. Data subjects: company representatives, Directors, beneficial owners | Art. 6(1)(e) public task to achieve our objectives Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment |
2 | Know Your Customer / Due Diligence | As part of our due diligence process, we will request information from you that will be augmented from publicly available information and / or proprietary databases to obtain information about the fund management company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism, and anti-money laundering measures. We will process this information for the onboarding process and throughout the relationship, updating the information on a periodic basis. Data subjects: company representatives, Directors, beneficial owners | Art. 6(1)(e) processing under public task |
3 | Debt finance investment programme | We currently have three investment programmes: UK Debt Funds, FinTech and Structured Capital Solutions. When you apply for anyone of these solutions, you will be asked to complete the Request for Proposals and provide information about yourself and your company. (see B1 above). If we invest, we will continue to process Personal Data from the investee company for business purposes, including periodic know your customer / due diligence checks, as well as information about the investment recipients, which may include Personal Data if the recipient is a sole trader or limited partnership. Data subjects: company representatives, Directors, beneficial owners, fund managers | Art. 6(1)(e) processing under public task |
3 | Equity Capital | We currently have two programmes UK Managed Funds and the Regional Angels Programme. When you apply for one of these programmes, you will be asked to complete the Request for Proposals and provide information about yourself and your company (see B1 above). If we invest, we will continue to process Personal Data from the investee company for business purposes, including know your customer/ due diligence checks, as well as information about the investment recipients, which may include Personal Data if the recipient is a sole trader or limited partnership. Data subjects: company representatives, Directors, beneficial owners, fund managers | Art. 6(1)(e) processing under public task |
C. General business activities:
No. | Purpose | Personal Data Processed | Lawful Basis |
---|---|---|---|
1 | Business Improvements | We may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes. The Personal Data processed will vary according to the specific activity but will always be the minimum necessary. Data subjects: company representatives, Directors, beneficial owners, fund managers, employees, requestors, subscribers, etc. | Art. 6(1)(c) processing under legal obligation Art. 6(1)(e) public task |
2 | Business Management & Operations | We process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors, and suppliers; carrying out our legal, financial, and regulatory duties, as well as our governance, risk management and audit functions. The Personal Data processed will vary according to the specific activity, but will be the minimum necessary. Data subjects: company representatives, Directors, beneficial owners, fund managers, employees, requestors, subscribers, etc. | Art. 6(1)(c) legal obligation Art. 6(1)(e) public task |
3 | Cookies and website | The BBI website is part of the British Business Bank website. Data is collected when you visit our web pages, which may include, amongst other things; traffic data and communication data, for the purpose of improving our website performance, system administration and to evaluate use of our websites. We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policy. Data subjects: web browsers | Art. 6(1)(a) consent for the cookies that are not strictly necessary. |
4 | Market Research | We may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality. We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results. On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation. Data subjects: company representatives, Directors, beneficial owners, fund managers, employees, requestors, subscribers, etc. | Art. 6(1)(f) legitimate interests |
3. Automated decision making
3.1 We do not currently make any automated decisions about you using only technology, where none of our employees or any other individual are involved. However, it is possible automated decisions or profiling do occur with cookie and other similar technology that are enabled on our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (please see our contact details in Section 11).
4. How we safeguard Personal Data
4.1 We have technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, loss, destruction, or damage, which include encryption, information classification, anonymisation, and pseudonymisation. Our files are protected with safeguards according to the sensitivity of the relevant information, and access controls are placed on our systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees. 4.2 BBB plc (including BBI Ltd) I’s employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.
5. How long we keep Personal Data
5.1 We keep Personal Data for as long as necessary for the purpose for which it is processed. We typically keep information for a minimum of seven years from the last action, for example when an investment ceases, file closure, contract end, etc.
6. Where we transfer Personal Data to
6.1 Personal data is predominantly stored in the UK or the European Union; however, where we process Personal Data elsewhere, we shall ensure it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or appropriate safeguards (i.e., International Data Transfer Agreements).
7. Sharing Personal Data
7.1 We rely on the British Business Bank to fulfil some of our core activities, so Personal Data is shared within BBB and its subsidiaries for the purposes described above.
7.2 We may share your Personal Data with Government departments, public-sector bodies and other associated organisations for the purpose of programmes administration, market analysis, research and data analysis and analytics, for example including, but not limited to: DBT, HMRC, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.
7.3 We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to) HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.
7.4 We may also share Personal Data with law enforcement or other government officials to help prevent or detect crime or apprehend or prosecute offenders; when we believe disclosure is necessary to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues, or stakeholders; to establish, exercise or defend our legal rights; in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.
7.5 Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements. Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; debt collection etc. A list of our key contracted providers is available on Contracts Finder.
8. Marketing
8.1 We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS), unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information.
8.2 We do not buy or sell Personal Data for marketing purposes.
8.3 If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.
9. Confidential information
9.1 We are a public body and subject to the Freedom of Information Act 2000 (FOIA). The FOIA provides people the right to request access to recorded information and we are obliged to disclose the information unless an FOIA exemption applies. Section 40 of the FOIA provides an exemption to the disclosure of personal data and, although it is not absolute, the exemption applies where the disclosure would contravene data protection.
9.2 Under the FOIA, we are only permitted to protect information that is actually confidential in law and where, if we were to disclose it, we could be sued for breach of confidence. Information you give us which you may consider confidential, or may mark as confidential, may in fact not be confidential in law. However, in respect of any information we receive from you that is truly confidential, we will take steps to ensure it remains confidential.
10. Data Subject Rights
10.1 Data protection provides rights to data subjects; these rights are listed below, and you can exercise them by contacting us using the details in Section 11.
Term | Definition |
---|---|
Consent | If we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time and expect us to carry out your wishes promptly. |
The right of access | The right to request access to the Personal Data we hold about you, subject to exceptions. |
The right to object | Where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so. |
The right of data portability | In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us. |
The right to rectification | The right to correct any errors in Personal Data we hold about you, and to change or correct any details you have already given us. It is important that any contact data you provide is kept accurate and up to date so that we can contact you should we need to. |
The right to erasure | The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it. |
The right to restrict processing | The right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request. |
10.2 Data protection rights are not always absolute and where we cannot fulfil the request, we will explain why. For general information about data rights, see the Information Commissioner’s website at ico.org.uk/your-data-matters.
11. Contacting us
11.1 If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at: [email protected] or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.
11.2 If, after speaking to us regarding any of the ways we use your Personal Data, you wish to make a complaint, you can do so by contacting the Information Commissioner’s Office at The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or see their website for alternative contact details: www.ico.org.uk.