Personal data and authorisation

We explain how and why we use personal data collected via forms on our online portals: Connect, RegData and Online Invoicing.

The forms on Connect and RegData are used by firms (including sole traders) applying for authorisations (such as FSMA, Consumer Credit, Payment Services, Electronic Money Authorisation and Registration Application), mandatory notification (such as, FCA PSD2 Exclusion Notification, MiFID II Ancillary Activity Exemption Notification and Electronic Trading Notification) and for other reporting, identification or application purposes. The forms on Online Invoicing are used by firms (including sole traders) for submitting fee tariff data, viewing fees information/invoices, making payments (using direct debit or card payments) and requesting refunds. This information is obtained for the FCA and the other regulatory organisations we collect fees & levies on behalf of. Further information is available on Fees and Levies page.  

The personal data we use

Connect and RegData collect information which regulated firms (including sole traders) are required by statute to report or provide to us. For example, under the Financial Services and Markets Act 2000, regulated firms (including sole traders) have a legal obligation to provide us with certain information. The majority of the information is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, contact details, residency, geographical location, previous addresses, date of birth, place of birth, National Insurance numbers, passport numbers, nationality, criminal records, personal opinions, health information). Where the authorised firm is a sole trader, much of the related information will also be personal data. Online Invoicing collects information from firms (including sole traders). This includes some personal data about the firm’s registered user (such as name and contact details). Firms (including sole traders) may also provide bank details for paying fees by direct debit or to receive fee refunds.

We may also use personal data collected by these online systems for our supervisory purposes. For example, we may use firm employee’s contact details for the purpose of distributing surveys or compulsory information requests to firms, as well as potentially for other forms of supervisory contact.

The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.

How this personal data is collected

As mentioned above, the majority of this personal data is collected via our online systems – Connect, RegData and Online Invoicing. Occasionally we also make specific ad hoc information requests to regulated firms (including sole traders) by other means.

Why we use this personal data

We use this personal data to ensure that we are able to fulfil our relevant statutory functions.

We collect the technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security.  Automatic profiling may alert us of certain activities relating to the technical data.  Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that any special categories of data are collected via Connect, RegData and Online Invoicing is used by us, this is done under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.

When we share personal data collected via our Connect, RegData and Online Invoicing portals

Given our role as a regulator, where necessary and appropriate we do share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and, in others, we are obliged for legal reasons to share the information. Either way, we ensure that any sharing of personal data is in line with our obligations under data protection law.

In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. (In these cases, we ensure that any sharing of personal data is nonetheless lawful and furthers the public interest in effective international regulation.)

When this personal data is transferred outside the UK and the EU

Given the international nature of our wider regulatory work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies, outside the EU. We will only transfer personal data outside the EU if permitted by the UK GDPR or DPA 2018. We have robust processes to ensure that appropriate safeguards are in place to protect any personal data included in such transfers. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to non-EEA regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements. View the full text of these administrative arrangements.   

Learn about your rights

Under the UK GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.

Page updates

: Editorial amendment page updated as part of website refresh
: Editorial amendment GDPR update

05/08/2020: Information changed Update to the personal data we use