This page explains how and why we use personal data that is collected via forms on our online portals called Connect, Gabriel and Online Invoicing.
The forms on Connect and Gabriel are used by firms (including sole traders) applying for authorisations (such as FSMA, Consumer Credit, Payment Services, Electronic Money Authorisation and Registration Application), mandatory notification (such as, FCA PSD2 Exclusion Notification, MiFID II Ancillary Activity Exemption Notification and Electronic Trading Notification) and for other reporting, identification or application purposes. The forms on Online Invoicing are used by firms (including sole traders) for submitting fee tariff data, viewing fees information/invoices, making payments (using direct debit or card payments) and requesting refunds. This information is obtained for the FCA and the other regulatory organisations we collect fees & levies on behalf of. Further information is available on Fees and Levies page.
The personal data we use
Connect and Gabriel collect information which regulated firms (including sole traders) are required by statute to report or provide to us. For example, under the Financial Services and Markets Act 2000, regulated firms (including sole traders) have a legal obligation to provide us with certain information. The majority of the information is about the firm’s business, such as how it is structured and how it operates, but some personal data about the firm’s employees and clients may also occasionally be required (such as names, contact details, residency, geographical location, previous addresses, date of birth, place of birth, National Insurance numbers, passport numbers, nationality, criminal records, personal opinions, health information). Where the authorised firm is a sole trader, much of the related information will also be personal data. Online Invoicing collects information from firms (including sole traders). This includes some personal data about the firm’s registered user (such as name and contact details). Firms (including sole traders) may also provide bank details for paying fees by direct debit or to receive fee refunds.
We may also use personal data collected by these online systems for our supervisory purposes. For example, we may use firm employee’s contact details for the purpose of distributing surveys or compulsory information requests to firms, as well as potentially for other forms of supervisory contact.
The personal data we collect also includes technical data such as traffic, location, time zone and other communication data; and information from your computer or device, such as your internet protocol (IP) addresses, the login data, browser type and version, operating system and platform you use to access Connect and Consumer Credit Interim Permission (CCI) system.
How this personal data is collected
As mentioned above, the majority of this personal data is collected via our online systems – Connect, Gabriel and Online Invoicing. Occasionally we also make specific ad hoc information requests to regulated firms (including sole traders) by other means.
Why we use this personal data
We use this personal data to ensure that we are able to fulfil our relevant statutory functions.
We collect the technical data for the purposes of monitoring and investigating any suspicious activity, misuse of our ICT systems and for the purposes of maintaining cyber security. Automatic profiling may alert us of certain activities relating to the technical data. Where such alerts are received by us, we will decide whether to investigate further and there will be no automated decision process.
The lawful basis for us using this personal data
We use this personal data under Article 6(1)(e) of the GDPR (it is necessary for performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. To the extent that any special categories of data are collected via Connect, Gabriel and Online Invoicing is used by us, this is done under Article 9(2)(g) of the GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.
When we share personal data collected via our Connect, Gabriel and Online Invoicing portals
Given our role as a regulator, where necessary and appropriate we do share personal data with other regulators, public authorities and law enforcement agencies both inside and outside the UK. In some circumstances we choose to share this information and, in others, we are obliged for legal reasons to share the information. Either way, we ensure that any sharing of personal data is in line with our obligations under data protection law.
In the majority of cases, the law and our policies allow us to share this information without obtaining the consent of the individuals involved. (In these cases we ensure that any sharing of personal data is nonetheless lawful and furthers the public interest in effective international regulation.)
When personal data collected via our Connect, Gabriel and Online Invoicing portals is transferred outside the EU
As mentioned above, occasionally we share personal data with other regulators, public authorities and law enforcement agencies outside the EU. Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such a transfer. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.
Learn about your rights
Under the GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.