Open Banking Limited is a private company incorporated and registered in England with company number 10440081(referred to as “OBIE”, “we”, “us”, or “our” in this Privacy Notice). OBIE is committed to respecting the privacy of everyone about whom we process personal data.
We process personal data about individuals (“you”, “your”) who:
- have enrolled with us to participate in the development of APIs and be kept informed;
- have enrolled on the Open Banking Directory;
- have enrolled with OBIE for DMS;
- are journalists or stakeholders whom we communicate with;
- use our website (or related microsites); or
- own personal data we process for any of the other purposes explained below.
We do not process any personal data belonging to customers of open banking enabled services. You can find out more about our role in our Customer FAQs. If you need further information about any of the terms in this Privacy Notice, the Glossary is a great place to look.
If you work, or have worked, at OBIE and have a question about the use of data relating to you, or you would like to exercise your rights in respect of that data, please contact firstname.lastname@example.org. A separate privacy notice is in place for those who work for OBIE.
This Privacy Notice explains how we use your personal data. It may be amended from time to time so please check back on a regular basis.
We collect and store (and may share) the information detailed below and are responsible for how it is used. If you have a question in relation to your personal data processed by us, then please email email@example.com.
We process your data on the following lawful bases: with your consent; where it is necessary for us to perform a contract we have with you, or because you have asked us to take specific steps before entering into a contract; because the processing is necessary for us to comply with the law; or where the processing is necessary for our legitimate interests or the legitimate interests of a third party. We review the bases for our processing decisions carefully and you can object to these activities at any time (see the “Your Rights” section of this Privacy Notice).
We have a data retention policy that ensures we don’t use or store your personal data for longer than necessary. We consider the following issues to determine retention periods: guidance from the Information Commissioner’s Office and industry best practice; the use(s) of the personal data; the business rationale for collection and expiry of the purpose for which personal data was collected; our ongoing ability to ensure the accuracy of the personal data; and our legal and regulatory requirements.
What Personal Data We Collect & Why
Browsing our website
If you browse our website (www.openbanking.org.uk) or any related microsites (including standards.openbanking.org.uk, together the “Site(s)”) without registering or logging in, your IP address is collected and stored for 26 months to compile statistical analysis of the pages of the Site(s) you visit and to help us develop our business, products, services and Site(s).
Keeping you informed about Open Banking
You have the option of asking to be kept informed about OBIE’s activities (including marketing) by registering via our website. When you do this, we will send you updates about Open Banking and news about open banking-related activities which we think may be of interest to you. We won’t provide your data to anyone else. We will use this information for two years to continue to send you news and updates or invitations to participate in our activities, unless you ask us not to.
Additionally, we use your information:
- to compile analysis of the pages of the Site(s) which you visit;
- to help us develop our business, products, services and Site(s);
- for direct marketing; and
- for internal administration and/or analysis.
The use of this information is necessary to support the legitimate interests of OBIE in developing the open banking ecosystem.
Open Banking Services
We also use your information to:
- administer any services we provide to you;
- deal with technical queries raised by Participants across the Open Banking ecosystem;
- consider any applications or requests for information or advice made by you; and
- comply with any legal or regulatory obligations.
If your company enrols in the Open Banking Directory (the “Directory”) and/or the Dispute Management System (“DMS”), we will collect the name, job title, email address and phone number for your nominated primary business contact and nominated contacts. We require this information for each Participant. This information will also be used by OBIE to communicate with you during the course of your participation in the Directory and/or DMS.
Additionally, we will collect the name, job title, email address and phone number of any technical contacts who raise a ticket via the Open Banking Service Desk.
Open Banking Service Desk
The technical contacts and business contact information is also made available to other enrolled Participants in the Open Banking Services to enable them to contact you directly during the course of your participation in the Directory when necessary (e.g. when diagnosing technical connection problems between entities or when resolving payment service user enquiries or disputes).
Enrolment, Operations Security and Integrity
In the course of processing your enrolment you will be asked to provide both a copy of your passport or national identity card, and a copy of a document verifying your residential address. We will use and share (with our third party processors) this information to verify your identity which is necessary to prevent fraudulent use of Open Banking’s services.
As part of that identification and specifically for the purposes of enrolment and to prevent fraud, we may also receive information about you from third parties (such as, but not limited to, fraud prevention or credit reference agencies).
We also collect the following information every time you use Open Banking services:
- user name;
- date and time of each successful login and unsuccessful login attempt;
- the IP addresses and protocols used to communicate with the Directory;
- technical information such as information about the browser or identity of the system used to access the Directory;
- technical information about the device used for two factor authentication which may include phone number, device ID and any other technical information used to authenticate a login; and
- details of all activities performed while logged in.
The use of this information is necessary to support the legitimate interests of OBIE to protect the operations, security and integrity of Open Banking services and for help in troubleshooting problems.
This information may be retained for up to six years as it may be required to establish, exercise or defend legal claims.
Participation in Open Banking Working Groups and Consultative Forums
If you participate in any Open Banking working groups, consultative forums (or similar), your personal details, typically your name, job title and the organisation you represent, may appear in agendas, minutes and reports. OBIE processes this data in accordance with its legal obligations. Meetings requiring minuting or other record keeping are typically recorded (through transcripts and/or audio recordings) in accordance with OBIE’s legitimate interests.
Cyber Fraud Information Exchange
If you register on the Open Banking Cyber Fraud Information Exchange (the “Information Exchange”), we will collect your name and email address as part of the registration. This information will also be used by OBIE to communicate with you about your participation in the Information Exchange and to support collaboration with the Open Banking ecosystem.
This data will also be processed if you use associated tools available on the Information Exchange.
Journalists and Stakeholders
One of OBIE’s core missions is to explain how Open Banking works and our role in the payments and FinTech ecosystem. To facilitate this, OBIE maintains contact information (name, email address, phone numbers) of journalists and stakeholders. Generally we have this information because you have given it to us. If you’d like us to stop talking to you about Open Banking, then please let your contact know or alternatively email firstname.lastname@example.org and we’ll make sure this happens.
Sharing Your Information
We use a number of other companies to help us provide the Open Banking services. These third parties act on our instructions and carry out services on our behalf – they are processors.
And, if you enrol in the Open Banking Services your data will also be processed by these third parties:
- certificate issuance and management service provider;
- identity verification provider(s),
- cloud-based Authentication and identification service provider; and
- Pay UK.
Where it is strictly necessary and / or to meet our legal obligations, we may also share your information:
- with our professional advisers and external auditors;
- with forensic investigators;
- in response to requests from law enforcement authorities or regulators; and
- with other Directory participants (if applicable).
Your personal data may sometimes be transferred to countries outside the UK and EEA. Where we conduct such transfers, we take all appropriate safeguards to ensure that your personal data remains protected, in accordance with applicable privacy legislation and this Privacy Notice. Such protections include implementing Standard Contractual Clauses, relying on data protection adequacy decisions by the UK or the European Commission, or any such similar provisions which offer the security and protection mandated by legislation and this Privacy Notice. If you would like further information in respect of a particular processing operation please contact email@example.com.
You have rights under data protection laws in relation to your personal data. In particular, you may have rights to:
- request access to your personal data – this enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
- request correction of the personal data that we hold about you;
- request erasure of your personal data – this enables you to ask us to remove personal data in order to comply with local law, or where there is no good reason for us continuing to process it or you have successfully exercised your right to object to processing or we may have processed your information unlawfully;
- object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you feel the processing impacts on your fundamental rights and freedoms;
- object where we are processing your personal data for direct marketing purposes;
- request restriction of processing of your personal data – this enables you to ask us to suspend the processing of your personal data in certain circumstances;
- request the transfer of your personal data to you or to a third party – this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;
- withdraw consent at any time where we are relying on consent to process your personal data.
If you wish to exercise any of your above rights, or if you have any questions or concerns about our Privacy Notice or personal data we hold about you please contact firstname.lastname@example.org.
You also have the right to complain to the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/, call its helpline on +44 (0)303 123 1113, or in writing to:
Information Commissioner’s Office