Personal data and authorisation

This page explains how and why we use personal data that is collected via forms on our online portals called Connect and Gabriel.

The forms on Connect and Gabriel are used by firms (including sole traders) applying for authorisations (such as FSMA, Consumer Credit, Payment Services, Electronic Money Authorisation and Registration Application), mandatory notification (such as, FCA PSD2 Exclusion Notification, MiFID II Ancillary Activity Exemption Notification and Electronic Trading Notification) and for other reporting, identification or application purposes.

The personal data we use

Connect and Gabriel collect information which regulated firms (including sole traders) are required by statute to report or provide to us. For example, under the Financial Services and Markets Act 2000, regulated firms (including sole traders) have a legal obligation to provide us with certain information. The majority of the information is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, contact details, residency, geographical location, previous addresses, date of birth, place of birth, National Insurance numbers, passport numbers, nationality, criminal records, personal opinions, health information). Where the authorised firm is a sole trader, much of the related information will also be personal data.

The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect and Consumer Credit Interim Permission (CCI) system.

How this personal data is collected

As mentioned above, the majority of this personal data is collected via our online systems – Connect and Gabriel. Occasionally we also make specific ad hoc information requests to regulated firms (including sole traders) by other means.

Why we use this personal data

We use this personal data to ensure that we are able to fulfil our relevant statutory functions.

We collect the technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security.  Automatic profiling may alert us of certain activities relating to the technical data.  Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that any special categories of data are collected via Connect and Gabriel and used by us, this is done under Article 9(2)(g) of the GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.

When we share personal data collected via our Connect and Gabriel portals

Given our role as a regulator, where necessary and appropriate we do share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and, in others, we are obliged for legal reasons to share the information. Either way, we ensure that any sharing of personal data is in line with our obligations under data protection law.

In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. (In these cases we ensure that any sharing of personal data is nonetheless lawful and furthers the public interest in effective international regulation.)

When personal data collected via our Connect and Gabriel portals is transferred outside the EU

As mentioned above, occasionally we share personal data with other regulators, public authorities and law enforcement agencies outside the EU. Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such a transfer. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.

Learn about your rights

Under the GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.