Privacy policy

This privacy notice aims to explain what Personal Data we process and why.

We will review this notice on a regular basis to keep it up to date.

Date last updated: 21 November 2023

1. Who we are

1.1

British Patient Capital (“BPC”) is the trading name of British Patient Capital Limited, a wholly owned commercial subsidiary of British Business Bank plc (“British Business Bank”or “BBB”), registered in England and Wales, registration number 11271076, registered office at Steel City House, West Street, Sheffield S1 2GQ.

1.2

BPC is the controller for the Personal Data it processes and is registered with the Information Commissioner’s Office (reference no. ZA525068). BPC relies on the British Business Bank to provide core support services such as Finance, HR, IT, Legal, Procurement, Risk and Compliance, and Internal Audit, and for more information about BBB, see the BBB privacy notice.

1.3

BPC manages an investment portfolio designed to support UK companies with high growth potential to access the long-term financing they need to scale up. Through its core funds programme and LSIP programme, BPC invests in a diversified portfolio of best-in-class venture and growth capital funds, capturing value through financing the growth of innovative companies. Through its long-term co-investment strategy, BPC also invests directly, alongside its fund managers, in the most promising later- stage companies in its underlying portfolio. BPC has also launched Future Fund: Breakthrough (“FF:B”), a new £375m UK-wide scheme which encourages private investors to co-invest with BPC in high -growth innovative firms.

1.4

BPC (nor any part of the British Business Bank’s Group) is not a banking institution and does not operate as such and is not authorised or regulated by the PRA or FCA. A complete legal structure chart for the British Business Bank’s Group is available here: Corporate information and subsidiary companies – British Business Bank (british-business-bank.co.uk).

1.5

For the purposes of this privacy notice, the terms:

“Customers” means the individuals who contact us, for example, to make requests for information, participate in surveys and events, or to make a complaint. We are not a banking institution and do not have account customers.
“British Business Bank” means British Business Bank plc and other companies in the British Business Bank group (including without limitation, British Business Finance Ltd (registration number 09091928), British Business Investments Ltd (registration number 09091930) and British Business Financial Services Ltd (registration number 09174621).
“DBAT”refers to the Department for Business and Trade
“Personal Data” as defined in UK GDPR “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

2. Why we process Personal Data

2.1

BPC invests in venture and growth capital, capturing value through financing the growth of innovative companies. We focus on investing in both fixed term and evergreen funds and will consider co-investment alongside our portfolio funds and Direct investment in high-growth, innovative British companies operating in breakthrough technology sectors. The table below shows the activities that process Personal Data, the types of Personal Data, the categories of data subject, and the lawful basis for processing.

a. Personal Data you may provide to us

No.	Purpose	Personal Data Processed	Lawful Basis
1	Contacting Us (enquiries, complaints)	We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you.	Art. 6(1)(e) public task
2	Requesting information under the Freedom of Information Act or Data Protection Act	We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you.	Art. 6(1)(c) legal obligation
3	Attending an event or workshop, collecting your business contact details	We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you	Art. 6(1)(a) consent where the information you provide is optional Art. 6(1)(e) public task to achieve our objectives
4	Responding to a survey	We usually need your name and contact details, especially if you want us to share the results. Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc.	Art. 6(1)(a) consent where the information you provide is optional Art. 6(1)(e) public task to achieve our objectives Art. 9(2)(a) consent where special category data is provided, e.g., ethnicity, health, etc.
5	Providing details for case studies	We need your name and contact details to develop the case study about your company’s experience.	Art. 6(1)(a) consent

b. Personal data we collect through our programmes.

No.	Purpose	Personal Data Processed	Lawful Basis
1	Fund Managers applying for investment from BPC pursuant to BPC’s core RFP and LSIP RFP	When applying for investment from BPC, you may provide personal data when you express an interest (name, contact details, proposal). If you proceed to the formal proposal and due diligence stages, we will also need to process information about your fund and fund management company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your fund management company (e.g. partners, lead contacts, directors, shareholders, and individuals with a controlling interest). As part of the due diligence, we will use publicly available information and / or proprietary databases to obtain information about the fund management company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures. Additionally, we may request business contact details for senior management of companies in other portfolios as part of the process to obtain references about prospective Fund Managers, and the other Limited Partners in the round. We also collect information in respect of gender and diversity of our fund managers and investee companies. We will continue to process information throughout our relationship with the fund manager. In respect of LSIP, BPC may enter into arrangements with third-party investors in respect of collaborating jointly on potential investments under the Programme. Any such collaboration on specific investment proposals would be subject to agreement of the applicant fund manager.	Art. 6(1)(e) public task to achieve our objectives Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment
2	BPC Direct (Co-Investments and Future Fund: Breakthrough)	Under BPC’s co-investment programme, we will process Personal Data about your fund management company and investee company , which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your fund management company and investee company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest). Under FF:B, we will process Personal Data about the Sponsor investor and investee company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest). As part of due diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures. Additionally, we will request business contact details for the other investors in the round. Following the completion of the investment, we shall continue to process information throughout the relationship. We also collect information in respect of gender and diversity of investee companies, and the sponsor investor.	Art. 6(1)(e) public task to achieve our objectives Art. 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations Processing diversity information under Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment.

No.

Purpose

Personal Data Processed

Lawful Basis

Fund Managers applying for investment from BPC pursuant to BPC’s core RFP and LSIP RFP

When applying for investment from BPC, you may provide personal data when you express an interest (name, contact details, proposal). If you proceed to the formal proposal and due diligence stages, we will also need to process information about your fund and fund management company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your fund management company (e.g. partners, lead contacts, directors, shareholders, and individuals with a controlling interest).

As part of the due diligence, we will use publicly available information and / or proprietary databases to obtain information about the fund management company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.

Additionally, we may request business contact details for senior management of companies in other portfolios as part of the process to obtain references about prospective Fund Managers, and the other Limited Partners in the round.

We also collect information in respect of gender and diversity of our fund managers and investee companies.

We will continue to process information throughout our relationship with the fund manager.

In respect of LSIP, BPC may enter into arrangements with third-party investors in respect of collaborating jointly on potential investments under the Programme. Any such collaboration on specific investment proposals would be subject to agreement of the applicant fund manager.

Art. 6(1)(e) public task to achieve our objectives

Art. 6(1)(c) legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment

BPC Direct (Co-Investments and Future Fund: Breakthrough)

Under BPC’s co-investment programme, we will process Personal Data about your fund management company and investee company , which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your fund management company and investee company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

Under FF:B, we will process Personal Data about the Sponsor investor and investee company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).

As part of due diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures. Additionally, we will request business contact details for the other investors in the round.

Following the completion of the investment, we shall continue to process information throughout the relationship.

We also collect information in respect of gender and diversity of investee companies, and the sponsor investor.

Art. 6(1)(e) public task to achieve our objectives

Art. 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations

Processing diversity information under
Art. 9(2)(g) substantial public interest and Data Protection Act 2018 Schedule 1(8) equality of opportunity or treatment.

c. Personal Data we process in our general business activity.

No.	Purpose	Personal Data Processed	Lawful Basis
1	Business Improvements	We may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes. The Personal Data processed will vary according to the specific activity, but will always be the minimum necessary.	Art. 6(1)(c) processing under legal obligation Art. 6(1)(e) public task
2	Business Management & Operations	We process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors and suppliers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions. The Personal Data processed will vary according to the specific activity, but will be the minimum necessary.	Art. 6(1)(c) legal obligation Art. 6(1)(e) public task
3	Cookies and website	The BPC website is part of the British Business Bank website. Data is collected when you visit our web pages, which may include, amongst other things; traffic data and communication data, for the purpose of improving our website performance, system administration and to evaluate use of our websites. We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policy.	Art. 6(1)(a) consent for the cookies that are not strictly necessary
4	Market Research	We may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality. We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results. On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation.	Art. 6(1)(f) legitimate interests

3. Automated decision making

3.1

We do not currently make any automated decisions about you. However it is possible automated decisions or profiling do occur with cookie and other similar technology that are enabled our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (please see our contact details in Section 11).

4. How we safeguard Personal Data

4.1

We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.

4.2

BPC’s employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.

5. How long we keep Personal Data

5.1

We keep Personal Data for as long as necessary for the purpose for which it is processed. We typically keep information for a minimum of seven years from the last action or end of business relationship, for example when an investment ceases, file closure, contract end, etc.

6. Where we transfer Personal Data to

6.1

Personal data is predominantly stored in the UK or the European Union; however, where we process Personal Data elsewhere, we shall ensure it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or appropriate safeguards (i.e., International Data Transfer Agreements).

7. Sharing Personal Data

7.1

We rely on the British Business Bank plc to fulfil some of our core activities, so Personal Data is shared within BBB and its subsidiaries for the purposes described above.

7.2

We may share your Personal Data with Government departments, public-sector bodies, and other associated Partner organisations for the purpose of scheme administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, DBAT, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.

7.3

We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to) HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.

7.4

We may also share Personal Data to help prevent or detect crime (including data analytics) or apprehend or prosecute offenders; to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues, or stakeholders; to establish, exercise or defend our legal rights; in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.

7.5

Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements. Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; etc. A list of our key contracted providers is available on Contracts Finder.

8. Marketing

8.1

We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:

If you are an existing customer or have taken steps to become a customer by using the Websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.

8.2

We do not buy or sell Personal Data for marketing purposes.

8.3

We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels, including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.

8.4

If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time and can do so by contacting us (see Section 11) or where IT allows, to unsubscribe.

9. Confidential information

9.1

We are a public body and subject to the Freedom of Information Act 2000 (FOIA). The FOIA provides people the right to request access to recorded information and we are obliged to disclose the information unless an FOIA exemption applies. Section 40 of the FOIA provides an exemption to the disclosure of personal data and, although it is not absolute, the exemption applies where the disclosure would contravene data protection.

9.2

Under the FOIA, we are only permitted to protect information that is actually confidential in law and where, if we were to disclose it, we could be sued for breach of confidence. Information you give us which you may consider confidential, or may mark as confidential, may in fact not be confidential in law. However, in respect of any information we receive from you that is truly confidential, we will take steps to ensure it remains confidential.

10. Data subject rights

10.1

Data protection provides rights to data subjects; these rights are listed below, and you can exercise them by contacting us using the details in Section 11.

Consent – If we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time and expect us to carry out your wishes promptly.
The right of access – The right to request access to the Personal Data we hold about you, subject to exceptions.
The right to object – Where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so.
The right of data portability – In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.
The right to rectification – The right to correct any errors in Personal Data we hold about you, and to change or correct any details you have already given us. It is important that any contact data you provide is kept accurate and up to date so that we can contact you should we need to.
The right to erasure – The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it.
The right to restrict processing – The right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request.
Automated decision making and profiling – The right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters. The right to object to profiling in certain situations, for example direct marketing.

10.2

Data protection rights are not always absolute and where we cannot fulfil the request, we will explain why. For general information about data protection rights, see the Information Commissioner’s website at ico.org.uk/your-data-matters.

11. Contacting us

11.1

If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at: DataProtection@british-business-bank.co.uk or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.

11.2

If, after speaking to us regarding any of the ways we use your Personal Data, you wish to make a complaint, you can do so by contacting the Information Commissioner’s Office: www.ico.org.uk or telephone 0303 123 1113.