Open Banking Limited (which we’re going to call the Open Banking Implementation Entity, or OBIE in this Privacy Notice) is committed to respecting the privacy of everyone who we interact with – whether that is because:
- you have enrolled with us to participate in the development of the APIs and be kept informed;
- you have enrolled on the Open Banking Directory;
- you have enrolled with OBIE for DMS; or
- you are a journalist or stakeholder who we communicate with
If you use the Payment Initiation Services or Account Information Services enabled by OBIE, we do not process your personal data. Neither does OBIE process any underlying Participant customer personal data. You can find out more about our role in our Customer FAQs. If you need further information about any of the terms in this Privacy Notice, the Glossary is a great place to look.
If you work, or have worked, at OBIE and have a question about the use of data relating to you, or you would like to exercise your rights in respect of that data, please contact firstname.lastname@example.org. A separate privacy notice is in place for those who work for OBIE.
Open Banking Limited is a private company incorporated and registered in England with company number 10440081 whose registered office is at 2 Thomas More Square, London, United Kingdom, E1W 1YN.
We collect and store (and share) the information detailed below and are responsible for how it is used. If you want to get in touch with us then please email email@example.com.
Browsing our website
This Privacy Notice explains how we use your personal data. It may be amended from time to time so please check back on a regular basis.
Keeping you informed about Open Banking
You have the option of asking to be kept informed of OBIE’s activities (including marketing) by registering via our website. When you do this, we will send you updates about the Open Banking APIs and news about other activities of OBIE which we think may be of interest to you. We won’t provide data relating to you to anyone else. We will use this information to continue to send you news and updates or participate in our activities, unless you ask us not to.
We may also use your information:
- to administer any services we provide to you including the Open Banking Services;
- to compile statistical analysis of the pages of the Site which you visit;
- to help us develop our business, products, services and the Site;
- for direct marketing;
- for internal administration and/or analysis;
- to deal with the technical queries raised by Participants across the Open Banking ecosystem;
- to consider any applications or requests for information or advice made by you; and
- to comply with any legal or regulatory obligations
The use of this information is necessary to support the legitimate interests of OBIE to develop the Open Banking Ecosystem.
Open Banking Services
If you apply to enrol in the Open Banking Directory (the “Directory”) and/or the Dispute Management System (“DMS”), we will collect the name, job title, email address and phone number for your nominated Primary Business Contact and nominated contacts. We require this information for each Participant. This information will also be used by OBIE to communicate with you about your participation in the Directory.
Open Banking Service Desk
Additionally, we will collect the name, job, title, email address and phone number of any technical contacts who raise a ticket via the Open Banking Service Desk.
The technical contacts and business contact information may also be made available to other enrolled Participants in the Open Banking Services to enable them to contact you directly about your participation in the Directory when necessary (e.g. when diagnosing technical connection problems between entities or when resolving payment service user enquiries or disputes).
In the course of processing your enrolment you will be asked to provide both a copy of your passport or national identity card, and a copy of a document verifying your residential address. We will use and share (with third parties) this information to verify your identity which is necessary to prevent fraudulent use of the Open Banking Services.
As part of that identification and specifically for the purposes of enrolment and to prevent fraud, we may also receive information about you from third parties (such as, but not limited to, fraud prevention or credit reference agencies). We may also collect the following information every time you interact with the Open Banking Services.
- User name;
- Date and time of each successful login and unsuccessful login attempt;
- The IP addresses and protocols used to communicate with the directory;
- Technical information such as information about the browser or identity of the system used to access the Directory;
- Technical information about the device used for two factor authentication which may include phone number, device ID and any other technical information used to authenticate a login;
- Details of all activities performed while logged in.
The use of this information is necessary to support the legitimate interests of OBIE to protect the operations, security and integrity of the Open Banking Services and for help in troubleshooting problems.
Your information will be retained for a reasonable period of time and may be retained up to six years as it may be required for establishment, exercise or defence of legal claims.
Participation in Open Banking Working Groups and Consultative Forums
If you participate in the work of Open Banking, your personal details, typically your name and the organisation you represent, may appear in agendas, minutes and reports. OBIE processes this data in accordance with its legal obligations under the CMA Order.
Cyber Fraud Information Exchange
If you register on the Open Banking Cyber Fraud Information Exchange (the Information Exchange), we will collect your name and email address as part of the registration. This information will also be used by OBIE to communicate with you about your participation in the Information Exchange and to support collaboration with the Open Banking Ecosystem.
This data will also be processed if you use associated tools available on the Information Exchange.
Journalists and Stakeholders
One of OBIE’s core missions is to explain how Open Banking works and our role in the payments and FinTech ecosystem. To facilitate this, the OBIE team members maintain contact information (name, email address, phone numbers) of journalists and stakeholders. Generally we have this information because you gave it to us. If you’d like us to stop talking to you about Open Banking then please let your contact know or alternatively email firstname.lastname@example.org and we’ll make sure this happens.
Sharing Your Information
We use a number of other companies to help us provide the Open Banking Services. These third parties act on our instructions and carry out services on our behalf (they are processors). Where we do this, we require them not to use your information for any other purposes. Your information may be processed by the following third parties.
- Website hosting providers
- Platform as a Service providers
- Cloud-based CRM software as a provider
- Web content distribution and security provider
- Web collaboration software, and
- Pay.UK Limited
And, if you enrol in the Open Banking Services, your data will also be processed by these third parties.
- Certificate issuance and management service provider
- Identity verification provider(s), and
- Cloud-based Authentication and identification service provider
Where it is strictly necessary and / or to meet our legal obligations, we may also share your information:
- with our professional advisers and external auditors;
- with forensic investigators;
- in response to requests from law enforcement authorities or regulators; and
- with other Directory participants (if applicable).
Your information may sometimes be processed in other countries, including countries outside the EEA. The laws of such countries may not provide the same standard of protection to individuals in respect of their personal information. However we will take reasonable steps to put in place measures to protect your information. In some cases this is the participation of the third party in the Privacy Shield Framework and in other cases we make sure there are contractual provisions based on standard data protection clauses. If you would like further information in respect of a particular processing operation please contact email@example.com.
The transition period associated with the United Kingdom’s exit from the European Union runs until the end of 2020. During the transition, European Union law continues to apply in the United Kingdom, so there are no changes to current policies and practices in relation to data transfers and privacy compliance at this time with respect to Brexit.
We will continue to actively monitor the ongoing Brexit situation.
If you wish to access, correct or delete any of your personal information as held by us, object or restrict the processing of data relating to you, or if you have any questions or concerns about our Privacy Notice or information we hold about you please contact firstname.lastname@example.org.