This page explains how and why we use personal data that is collected via forms on our online portals called Connect and Gabriel.
The forms on Connect and Gabriel are used by firms (including sole traders) applying for authorisations (such as FSMA, Consumer Credit, Payment Services, Electronic Money Authorisation and Registration Application), mandatory notification (such as, FCA PSD2 Exclusion Notification, MiFID II Ancillary Activity Exemption Notification and Electronic Trading Notification) and for other reporting, identification or application purposes.
The personal data we use
Connect and Gabriel collect information which regulated firms (including sole traders) are required by statute to report or provide to us. For example, under the Financial Services and Markets Act 2000, regulated firms (including sole traders) have a legal obligation to provide us with certain information. The majority of the information is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, contact details, residency, geographical location, previous addresses, date of birth, place of birth, National Insurance numbers, passport numbers, nationality, criminal records, personal opinions, health information). Where the authorised firm is a sole trader, much of the related information will also be personal data.
How this personal data is collected
As mentioned above, the majority of this personal data is collected via our online systems – Connect and Gabriel. Occasionally we also make specific ad hoc information requests to regulated firms (including sole traders) by other means.
Why we use this personal data
We use this personal data to ensure that we are able to fulfil our relevant statutory functions.
The lawful basis for us using this personal data
We use this personal data under Article 6(1)(e) of the GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that any special categories of data are collected via Connect and Gabriel and used by us, this is done under Article 9(2)(g) of the GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.
When we share personal data collected via our Connect and Gabriel portals
Given our role as a regulator, where necessary and appropriate we do share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and, in others, we are obliged for legal reasons to share the information. Either way, we ensure that any sharing of personal data is in line with our obligations under data protection law.
In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. (In these cases we ensure that any sharing of personal data is nonetheless lawful and furthers the public interest in effective international regulation.)
When personal data collected via our Connect and Gabriel portals is transferred outside the EU
As mentioned above, occasionally we share personal data with other regulators, public authorities and law enforcement agencies outside the EU. Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such a transfer. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.
Learn about your rights
Under the GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.