This privacy notice outlines the FCA’s operational and core activities as a data controller, where we are responsible for the collection and use of personal data, how and why we use your personal data, and how this applies in different aspects of our work.
How we use your personal data
As a data led regulator, we use personal data to fulfil statutory functions and other duties. To learn more about how we use personal data in connection with our regulatory and operational activities, please visit the links below.
- personal data and authorisation
- personal data and supervision
- personal data and enforcement
- personal data and market oversight
- personal data and the FCA Handbook
- personal data and the Financial Services Register services
- personal data and mutuals registration
- personal data and surveys, consultations and market research
- personal data and financial lives survey
- personal data and communicating FCA news and events
- personal data and Recruitment
- our use of cookies
- our whistleblowers page explains how we handle information provided by whistleblowers
- personal data used when you contact us
- personal data and handling complaints about us
In addition to the uses of your personal data described in our privacy notices above, the following use of your personal data generally applies:
When you contact us and / or when we contact you
We process your personal data for various reasons which includes, addressing your enquiries or concerns, when you subscribe to our newsletters, or attend our online or in-person events or meetings, and when we have business relationship with you.
When we record calls or meetings
We process data to create records of meetings, events or calls. This could be through various sources such as, calls received by our contact centre, switchboard, or message recording system or when we conduct online or in person meetings.
These records may consist of voice and/or video recordings as well as speech to text transcripts including AI powered transcription. During meetings and calls, personal data such as names, contact details, and any information shared during interactions may be collected. This may include recorded phone and video calls, written notes, and digital copies. Depending upon our statutory and operational requirements, we may be required to keep written/digital notes and recordings to maintain an accurate record of information to support our work and aid our decision-making. Your data is collected solely for our specified purpose, record keeping, quality assurance, or training purposes and is retained in accordance with our retention schedule.
- You will be notified in advance or at the beginning of any meeting if recording or transcription is in progress, and, where applicable, you will be provided with options to opt out of being recorded.
- For call recording and transcription, we use Microsoft Teams (powered by AI Transcription) and other FCA approved applications.
When we use AI
We may process your personal data using various analytical tools and advanced technologies, such as machine learning and artificial intelligence. This helps us to use our resources efficiently. This includes both internally developed tools and IT services provided by third parties through the cloud. We may also use your personal data in the development and testing of these tools.
When you visit our offices
We process your data when you visit our offices for the purpose of maintaining the security of the building and the welfare of people on the premises, including staff and property protection.
- During your visit to our offices, you are required provide your details and present a form of photo identification. Your identification is used solely for verification and is not recorded for any other.
- We process visitors’ data to maintain a log for security and emergency evacuation, which may include information from closed circuit television (CCTV) in areas where monitoring is indicated by signage which is operated both inside and outside our premises.
- We share this data with co-occupiers of our office premises, law enforcement agencies, or public authorities when appropriate or required by law.
- We also process your data when you sign-up for the Wi-Fi services when you are visiting our offices.
Processing this data is necessary under Article 6(1)(e) of the UK GDPR (this processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority) or in accordance with the legitimate interest lawful basis provided by Article 6(1)(f) of the UK GDPR.
When a film on our website includes public place footage
We ensure that the footage only captures people in the background who are not identifiable. For other videos, we obtain permission from everyone appearing, which includes FCA research participants, vox pop interviews, conferences, and webinars.
International transfers of personal data
Where the processing of personal data requires a transfer to other countries outside the UK, we will ensure that necessary safeguarding and protections are in place as set out by the UK GDPR and Data Protection Act 2018 and guidance issued by the Information Commissioner’s Office, such as checking the applicable adequacy regulations and implementing robust contractual and security safeguards with third-party recipients of personal data in compliance with the UK data protection law.
Data retention
Our retention policy sets out how long we hold all information, including any personal data used for each of the areas mentioned in this privacy notice.
Your rights
Under the DPA 2018 and UK GDPR, you have certain rights regarding your personal data. For more details, see ICO | Individual Rights guidance. You can:
- request access, deletion, or correction of your data,
- object to how we use your data,
- ask for your data to be transferred to another organisation, and
- complain to the Information Commissioner’s Office if dissatisfied.
As a public authority and regulator carrying out functions in the public interest, we may rely on exemptions specified in the DPA 2018 that could affect any rights requests you submit. If exemptions are applied, we will inform you of the relevant exemption, its justification, and the potential impact on your request.
Additionally, when processing personal data for law enforcement purposes, information may be withheld if necessary to prevent prejudice to the detection and investigation of criminal offences.
We assign responsibilities among joint controllers and, if needed, notify or refer individuals to other controllers for rights requests.
To make a rights request
You should use the individual rights request form to exercise these rights. We require additional proof of identity before providing a response. You can also email us or write to us at: Information Disclosure Team, Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN.
To make any FOIA request
You should refer to FCA | Freedom Information.
If you are unhappy with how we handled your rights or FOIA request, you can make a complaint to us – please see the 'How to make a complaint’ section below.
How to make a complaint
Please carefully consider the below guidance on how to make specific complaints to avoid any delays in our responses.
- Complain about Individual Rights Request or Freedom of Information Act (FOIA) request or write to us at: Information Disclosure Team, Financial Conduct Authority, 12 Endeavour Square, London E20 1JN. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office.
- To complain about how the FCA/PSR has handled your personal data or complete a printable form (PDF) or write to us Data Protection Compliance Team (Risk and Compliance Oversight Division), Financial Conduct Authority, 12 Endeavour Square, London E20 1JN. We will acknowledge your complaint within 30 days. If your complaint is complex or unclear, we may request clarification. Complex cases may require more time, and we will inform you of any delays. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office.
- Complain about the FCA, the PRA or the Bank of England (the regulators).
- Complain about financial product or service you have received, and when you should get in touch with the Financial Ombudsman Service.
Our Data Protection Officer
As a public authority, and a Data Controller, the FCA has an appointed Data Protection Officer (DPO) who oversees our internal data protection compliance. You can contact the DPO via email or write to: Data Protection Team (R&CO), Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN.
If you have any particular questions or any feedback about our privacy notice, please email us.
Glossary of terms used in this privacy notice
| Artificial intelligence or AI | AI is the development of computer systems that can perform tasks typically requiring human intelligence, such as learning, reasoning, and making decisions, often by processing large amounts of data to solve problems or achieve goals. AI is an umbrella term for a range of technologies and approaches that often attempt to mimic human thought to solve complex tasks. Things that humans have traditionally done by thinking and reasoning are increasingly being done by, or with the help of, AI. |
| DPA 2018 | The Data Protection Act 2018 |
| UK GDPR | The General Data Protection Act Regulation as it applies in the UK |
| ICO | The Information Commissioner’s Office |
| LED | The Law Enforcement Directive (EU) 2016/680 |
| Data Controller | A person or organisation who determines the purposes and way any Personal Data is being or is to be Processed. |
| Joint Data Controllers | When the FCA and the other organisations (legal entity acting as a controller) ‘jointly’ decide the purposes and means of processing personal data for the same or shared purposes. |
| Data Processor | A natural or legal person, public authority, agency, or other body which Processes personal data on behalf of the controller. |
| Personal data | When we refer to personal data, we mean any information about a living identifiable individual who can be directly or indirectly identified from that information. |
| Process or Processing or use (of Personal Data) | Processing means any action taken with personal data from the point of collection, use or reuse for a purpose, storage, sharing, erasing until secure disposal of it. Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. This includes, but is not limited to, any Processing of Personal Data for Law Enforcement Purposes. |
| Pseudonymise | The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their 'real world' identity. |
| Anonymise | The process that does not itself identify any individual and that is unlikely to allow any individual to be identified through its combination with other data. |
| Special categories of data | The special categories of data are specifically listed in the UK GDPR. They include race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or information about a person’s sex life or sexual orientation. Previously referred to as 'sensitive personal data' |
Changes to this privacy notice
We keep our privacy notice under regular review. See 'last updated' at the top of the page for the date of the latest update.
