Privacy Policy

NBS collects the following categories of personal data about you or your staff when visiting our website and when calling the Society:

• Personal details which you provide to the Society including name and contact information of yourself or of your staff.
• Identification documents including passport, drivers licence and other proof of address documents
• Communications between you or your staff, and the Society.
• Details of meetings or calls you or your staff may have with the Society.
• Contractual details between you and the Society.
• Your security information, including usernames, PIN numbers, passwords, answers to secret questions, used to keep your account safe and secure.
• Management information including information about the nature of your referrals to the Society such as,
• Details of any service issues, or complaints.
• Details of the device being used where you access our services online but not details of who is using it.
• User activity details and user preferences at trend level, i.e. which pages on our site are being visited and how long they are being viewed for, but we cannot personally identify you.
• The website which you were referred to us by.
• Location details at trend level, i.e. which location you might be visiting our website from, but this is not necessarily accurate as it may come from server or data centres and we would not be able to identify you.
• Electronic identification data including IP address and information collected through cookies.

Sensitive personal data

We also collect certain sensitive types of personal data (which is known as special categories of personal data). This would include:

• Information we ask for such as criminal or health issues that may affect our ability to enter a contract with you.
• Information you provide for accessibility requirements.
• Information that we may hold by virtue of your communications with us or your transaction history which may reveal sensitive information about you or others.

The Society collects personal data from you and your staff or your firm, or publicly available information online.

Personal data supplied by you

The Society collects personal data from you such as:
• When you register with us.
• When or your staff enquire about or apply for our products and services on behalf of your client.
• When you use our website.
• In intermediary surveys.
• If you attend a seminar.
• If you take part in our competitions or promotions.
• If you make an enquiry or a complaint.

Personal data supplied by others

The Society collects personal data about you from others such as:
• Mortgage intermediaries, and other intermediaries who introduce you to us.
• Any professional instructed by your clients such as their solicitor, conveyancer, surveyor or financial adviser.
• The solicitor or conveyancer of the other party to any transaction we are involved in.
• Public information sources such as Companies House, the Land Registry, the Financial Conduct Authority, the Insolvency Service, the Electoral Register or register of County Court Judgments.
• Government and law enforcement agencies.

What if I choose not to give personal data

• We may need to collect personal data by law (for example to identify who you are), or under the terms of a contract we have with you (for example your contact details).
• If you choose not to give us this information, it may delay or prevent us from providing our services to you and your client.

What happens with personal data I provide about my clients?

• Before you share that personal data with us, you must make sure that any personal data is, in particular, accurate, up to date, limited to what is necessary for the purposes of your client's requirement and that you have permission to share that personal data with the Society.
• Our privacy policy for our customers can be found at www.newcastle.co.uk/privacypolicy and it is important that you draw this to their attention and ask them to read it.

The Society processes personal data about you and your staff for certain purposes. Data protection law only allows us to use your personal data if we have a lawful reason. We have explained these purposes and the lawful reasons that we rely on to carry out that processing under data protection law below:

Performance of its contract with you

The Society processes your personal data for purposes to fulfil its contract with you. For example, this includes:

• Carrying out our intermediary registration.
• Entering into a contract with you.
• Communicating with you to administer and manage products and services which you are dealing with for your clients.
• Handling service requests or complaints.
• Making commission payments to you.
• Closing your account(s).

Processing data for legal and regulatory obligations

The Society is required to process your personal data for various legal and regulatory purposes. For example, this includes:

• Keeping accurate and up-to-date records, contact details and records of contractual and statutory rights.
• Retaining information for a specified amount of time.
• To adhere to laws and regulations which apply to us.
• To detect, investigate, report and prevent financial crime.
• To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
• To run our business in an efficient manner, including audit, corporate governance, risk and financial management, planning and business capability.

Processing data where we have your consent

The Society processes your personal data in certain circumstances where you have given your consent. For example, this includes:

• Providing you with information about our special offers, products and services that we feel may be of interest and benefit to you or your clients (unless you inform us that you do not want to receive such direct marketing).
• If you have provided sensitive personal data (also known as special categories of personal data) which we have recorded so that we can make appropriate adjustments for you.

Processing data where we have a legitimate interest to do so

The Society processes your personal data for various purposes where we believe we have a legitimate interest, and we have balanced this against your rights as an individual. For example, this includes:

• To monitor your use of our services and systems to ensure they are functioning correctly and efficiently.
• To monitor, develop and improve our services and for training and quality purposes, for example, we may conduct customer satisfaction surveys, and we may record calls and review complaints.
• To prevent and detect fraud, money laundering and other crime. This may include checking your location when you use a mobile device to help prevent fraud.
• Recovering debts from third parties.
• Business management and planning, including accounting, risk reporting and auditing to ensure our business is run efficiently and in accordance with best practices.
• To conduct data analytics studies to review and better understand our customers and how our products and services are delivered.
• Dealing with legal disputes.

How does the Society use my sensitive personal data?

• Some of your personal data which we hold will be sensitive personal data (or what is known as special categories of personal data). We will use your sensitive personal data in the following ways:
• Where we have your explicit consent. For example, to enable us to make necessary and appropriate adjustments for you in the administration of our products and services.
• Where we have a legal requirement to use it.

What happens if the purposes for processing change?

• We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or incompatible purpose, we will notify you and we will explain the lawful reason which allows us to do so.

The personal data we hold about you is confidential. We will only disclose it outside the Society when:

• We are required to share it with a third party product provider to take steps as requested by your client, and you would like us to provide your details to them.
• We use a supplier to provide services which support our products and services which we provide to you. In this case, we remain responsible for your personal data.
• We or others need to investigate or prevent crime (e.g. to fraud prevention agencies).
• The law permits or requires it, or any other regulatory body requires it, even without your consent. For example, so that we can check your identity for fraud prevention before opening a new account or taking a mortgage.
• There is a duty to the public to reveal the information.

Businesses which support the Society in providing services to you.

We operate a complex yet robust and secure range of services. To deliver our services efficiently, we use various suppliers. All our suppliers and other entities in our corporate group acting which process personal data on our behalf are required to take appropriate security measures to protect your personal data. We do not allow them to use your personal data for their own purposes such as marketing. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

These include:
• Newcastle Strategic Solutions Limited (a subsidiary of the Society), which provides savings management solutions to the Society.
• Newcastle Management Systems Limited (a subsidiary of the Society) which provides information systems and support to the Society.
• Mailing and print houses.
• Research and data analytics providers.
• Credit reference agencies and identity checking systems.
• Corporate insurance providers.

Others that we may provide your personal data to

• We may share your personal data where we are required to by law, or where we have a legitimate interest.
• For example, we may report suspicions of money laundering to the National Crime Agency or Action Fraud. We may also be required to support law enforcement agencies in their investigations. We may not be able to inform you of this in advance.
• We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.
• We may share your personal data with regulatory bodies or ombudsman services or to otherwise comply with the law.

Information you provide to others

• Please be aware that our site may link to other websites. You may also provide personal data to others directly where they provide services to you. For example, where you speak directly to someone we have introduced you to.
• We are not responsible for the use of any personal data that you give directly to or are collected via such third parties.
• You should read the respective data policies or procedures of these third parties to find out how they use your personal data.

• We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
• The Society keeps your personal data for up to 12 months after your relationship has ended with the Society.
• We are required to keep your registration data for at least 12 months after the date of the last DIP submitted online to the Society.
• Details of periods of time for which we keep other aspects of your personal data are available in our data retention policy which is available from our Legal Services Department upon request.
• In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
• Once the relevant retention period has passed we will securely destroy your personal data in accordance with our data retention policy and data destruction policy.

Your rights in connection with personal data

Under certain circumstances, by data protection law in the UK you or your staff, where you are an individual data subjects, have the right to:

Access your personal data

Request access to your personal data (commonly known as a “subject access request”). You may ask for and receive a copy of the personal data we hold about you by filling in our subject access request form which you can obtain [Insert link to form] or by writing to us at Principal Office, 1 Cobalt Park Way, Wallsend, NE28 9EJ, asking in a local branch, or calling us on 0345 734 4345. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee:

• if your request for access is clearly unfounded or excessive - we may also refuse to comply with the request in those circumstances; or
• in the event that you ask for further copies of the information

Amendment of personal data

• Request correction of the personal data that we hold about you. You may ask us to correct any incomplete or inaccurate information we hold about you.
• It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Erasure of personal data

• Request erasure of your personal data. You may ask us to delete or remove personal data where there is no good reason for us continuing to process it, or if you have objected to our processing (see below). We may have a legal reason or other legitimate reason to continue to process your personal data.

Withdrawal of consent

• To withdraw your consent. Where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you may withdraw your consent for that specific processing at any time. To withdraw your consent, please update your contact preferences via your online account, or contact us by telephone, in branch or in writing, whichever is easiest for you. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the original purpose, unless we have another legitimate basis for doing so in law. This will not affect the lawfulness of the processing that you consented to before you withdrew your consent.

Object to processing

• Object to processing of your personal data where we are relying on a legitimate interest to process your personal data and there is something about your particular situation which makes you want to object to processing on this ground.
• Object to direct marketing. You may ask us to stop processing your personal data for direct marketing purposes. To stop direct marketing, please update your contact preferences via your online account, or contact us by telephone, in branch or in writing.
• Object to automated decision making and profiling. You may ask us to stop processing your personal data to make decisions solely by automated means which have legal effects or similarly significant effects.

Restrict processing

• Request the restriction of processing of your personal data. You may ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

Transfer your data

• Request the transfer of your personal data to another party. You may ask us to provide your personal data in a form that you or another business can use.

Complain

• Lodge a complaint with the UK's Information Commissioner, or other applicable data protection regulator.

Contact us to exercise your rights

• If you want to make a request in relation to these rights, you can contact us by Principal Office, 1 Cobalt Park Way, Wallsend, NE28 9EJ, asking in a local branch, or calling us on 0345 734 4345 or see our contact section of this Privacy Policy.
• We will notify others of your request to rectify, erase or restrict the processing of your personal data if we have shared your personal data in accordance.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We have in place a range of security safeguards to protect your personal data against loss or theft, as well as unauthorised access, disclosure, copying, use, or modification, regardless of the format in which we hold it.

The way we do this depends on the sensitivity of the information and the format in which it is contained. Security measures include technological measures such as Transport Layer Security i.e. HTTPS, which creates a secure connection with your browser when you register and login into our online services, physical measures like restricted access to offices and strategic measures such as our own clearances via a logical access process and limiting access to a "need-to-know" basis.

No data transmission over the internet or the telephone can be guaranteed to be perfectly secure. Any personal data you submit to us or access electronically or over the telephone is done at your own risk. You should also take care not to give any security credentials we provide you or you choose (such as a password) to anyone.

We will never ask you for your full security credentials. If you are unsure, please end the session or call the Society straight away on 0345 734 4345.

We endeavour to take all reasonable steps to protect your personal information but cannot guarantee the security of any data you disclose online.

Further information can be found at https://www.newcastle.co.uk/faqs/general-faqs/security-fraud-prevention/

In order that we can monitor and improve our websites we gather certain information about you when you use them, including details of your domain name and IP address, operating system, browser, version and the name of the website that you visited prior to our website (if you came to us through a search engine or another website for example).

A cookie is a text only string of information that a website transfers to the cookie file of the browser on your computer's hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie, and a value, usually a randomly generated unique number. Cookies cannot be used by themselves to identify you and are not computer programs, and can't cause any damage to your computer.

Persistent Cookies are created and stored on your computer's hard drive for a period of time to identify it to the site tracking tool. The cookie does not collect any personal information. The cookie we issue contains the following information:

• A uniquely generated random number so that we can differentiate visitors and the expiry date of the cookie
• Session Cookies are temporary cookies that remain in the cookie file of your browser until you leave our site. Session Cookies allow you to carry information across pages of our site and avoid having to re-enter information into calculators, tools, illustrations and demonstrations.

Disabling / Enabling Cookies

By modifying the settings of your browser, you may opt to accept cookies, to be informed when one is about to be placed on your computer, or to automatically reject all cookies. However, you will not be able to use all the interactive features of our site if cookies are disabled.

More information on cookies can be found at http://www.aboutcookies.org

Use of Web Beacons

Web beacons (sometimes known as clear or transparent gifs) are used to identify whether a recipient has opened an HTML email. When the email is opened the web beacon generates a record showing that the email has been viewed. Web Beacons may also recognise when the email was opened, how many times it was forwarded and which URL's (links within the email) were clicked.

These beacons do not carry any personally identifiable information and are only used to track the effectiveness of a campaign.

If you do not wish to receive Web Beacons you will need to disable HTML images or refuse HTML (select Text only) emails via your email software.

Our website includes social media features, such as the Twitter and Linked In buttons, and Widgets, such as the Share This button or interactive mini-programs that run on our website. These features may collect your internet protocol address, which page you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing it.

Our website may be linked to or from third party websites. These links are provided as a convenience only. We are not responsible for the content or privacy principles of websites that are linked to or from our website. You should review the privacy policies of any third party websites you visit.

We may change this Privacy Policy from time to time. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account or your home address) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

If you have a complaint please tell us about it. We take all complaints seriously and investigate all complaints. You can contact us by writing to us at Principal Office, 1 Cobalt Park Way, Wallsend, NE28 9EJ, asking in your local branch, or calling us on 0345 734 4345 or see our contact section of this Privacy Policy.

As an individual data subject, you also have the right to submit a complaint to the UK's Information Commissioner's Office (or ICO) or any other applicable data protection regulator.

We have appointed a data protection officer (DPO) to oversee compliance with this Privacy Policy. If you have any questions about this Privacy Policy or how we handle your personal data, please contact the DPO.

The contact details of the DPO for The Newcastle Building Society are as follows: NBSDPO@NEWCASTLE.CO.UK

The contact details of the DPO for Newcastle Financial Advisers Limited are as follows: NFALDPO@NEWCASTLE.CO.UK