Personal data and authorisation

We explain how and why we use personal data collected via forms on our online portals: Connect, RegData and Online Invoicing.

The forms on Connect and RegData are used by firms (including sole traders) applying for authorisations (such as FSMA, Consumer Credit, Payment Services, Electronic Money Authorisation and Registration Application), mandatory notification (such as, FCA PSD2 Exclusion Notification, MiFID II Ancillary Activity Exemption Notification and Electronic Trading Notification) and for other reporting, identification or application purposes. We assess those applications, often asking for further information, documentation, or evidence to complete our assessments.  

The forms on Online Invoicing are used by firms (including sole traders) for submitting fee tariff data, viewing fees information/invoices, making payments (using direct debit or card payments) and requesting refunds. This information is obtained for the FCA and the other regulatory organisations we collect fees & levies on behalf of. Further information is available on Fees and Levies page.

The personal data we use

Connect and RegData collect information which regulated firms (including sole traders) are required by statute to report or provide to us. For example, under the Financial Services and Markets Act 2000, regulated firms (including sole traders) have a legal obligation to provide us with certain information. The majority of the information is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, contact details, residency, geographical location, previous addresses, date of birth, place of birth, National Insurance numbers, passport numbers, nationality, criminal records, personal opinions, health information). Where the authorised firm is a sole trader, much of the related information will also be personal data. In addition, personal data may be incidentally collected when creating digital copies of phone or video calls as part of the application assessment process.  

Online Invoicing collects information from firms (including sole traders). This includes some personal data about the firm’s registered user (such as name and contact details). Firms (including sole traders) may also provide bank details for paying fees by direct debit or to receive fee refunds.

The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect.

How this personal data is collected

As mentioned above, the majority of this personal data is collected via our online systems – Connect, RegData and Online Invoicing. Occasionally we also make specific ad hoc information requests to regulated firms (including sole traders) by other means.  

Personal data may also be collected through written notes and digital copies of phone calls or video calls, which may be recorded to evidence the assessments undertaken on applications received.

Why we collect and use this personal data

We use this personal data to ensure that we are able to fulfil our relevant statutory functions. We may also use this personal data, including recorded phone and video calls, to discharge our other functions (for example, our enforcement and supervisory functions). We have separate privacy policies in respect of our enforcement and supervisory functions which can be accessed on the FCA website.

We record some of our video and phone calls so that we have an accurate record of information that contributes to the assessments and decisions we make – this supports good decision making.

We collect the technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical data. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.

The lawful basis for us using this personal data

We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that any special categories of data are collected via Connect, RegData and Online Invoicing is used by us, this is done under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.

When we share personal data collected via our Connect, Reg Data and Online Invoicing portals

Given our role as a regulator, where necessary and appropriate we do share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and in others, we are obliged for legal reasons to share the information. Either way, we ensure that any sharing of personal data is in line with our obligations under data protection law.

In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. (In these cases, we ensure that any sharing of personal data is nonetheless lawful and furthers the public interest in effective international regulation.)

When this personal data is transferred outside the UK and the EU

Given the international nature of our wider regulatory work, where necessary and appropriate we share personal data with third parties, most commonly regulators and law enforcement agencies, outside the EU. We will only transfer personal data outside the EU if permitted by the UK GDPR or DPA 2018. We have robust processes to ensure that appropriate safeguards are in place to protect any personal data included in such transfers. The FCA is a signatory to several administrative arrangements for the transfer of personal data from the FCA to non-EEA regulators. These arrangements act as an appropriate safeguard when the FCA shares personal data with non-EEA regulators that have signed these arrangements.  View the full text of these administrative arrangements. 

Data retention

Our retention policy sets out how long we hold all information, including any personal data used for each of the areas mentioned in this privacy notice.

Learn about your rights

Under the UK GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.

Page updates

: Editorial amendment page updated as part of website refresh
: Editorial amendment GDPR update

05/08/2020: Information changed Update to the personal data we use