Privacy policy
We understand the importance of data security and privacy and are committed to protecting Personal Data in accordance with the Data Protection Act 2018 and UK General Data Protection Regulation.
This privacy notice aims to explain what Personal Data we process and why.
We will review this notice on a regular basis to keep it up to date.
Date last updated: 3 June 2021
- Who we are
- Why we process Personal Data
- Automated decision making
- How we safeguard Personal Data
- How long we keep Personal Data
- Where we transfer Personal Data to
- Sharing Personal Data
- Marketing
- Confidential Information
- Data subject rights under Data Protection Legislation
- Contacting us
1. Who we are
Personal Data
1.1
British Patient Capital (“BPC”) is the trading name of British Patient Capital Limited, a wholly owned commercial subsidiary of British Business Bank plc (“British Business Bank”), registered in England and Wales, registration number 11271076, registered office at Steel City House, West Street, Sheffield S1 2GQ.
1.2
BPC is the controller for the Personal Data it processes and is registered with the Information Commissioner’s Office (reference no. ZA525068). BPC relies on the British Business Bank to provide core support services such as Finance, HR, IT, Legal, Procurement, Risk and Compliance, and Internal Audit.
1.3
BPC manages an investment portfolio designed to support UK companies with high growth potential to access the long-term financing they need to scale up. It invests in a diversified portfolio of best-in-class venture and growth capital funds, capturing value through financing the growth of innovative companies. Through its long-term co-investment strategy, BPC also invests directly, alongside its fund managers, in the most promising later- stage companies in its underlying portfolio. BPC has also launched Future Fund: Breakthrough (“FF:B”), a new £375m UK-wide scheme which encourages private investors to co-invest with BPC in high -growth innovative firms.
1.4
BPC (nor any part of the British Business Bank’s Group) is not a banking institution and does not operate as such and is not authorised or regulated by the PRA or FCA. A complete legal structure chart for the British Business Bank’s Group is available here: Corporate information and subsidiary companies – British Business Bank (british-business-bank.co.uk).
1.5
For the purposes of this privacy notice, the terms:
“BEIS” means the Department for Business, Energy and Industrial Strategy.
“Customers” means the individuals who contact us, for example, to make requests for information, sign up to our mailing list, or to make a complaint. We are not a banking institution and do not have account customers.
“Personal Data” means any data which relates to a living individual who can be identified from that data or from other information which is in the possession of, or is likely to come into the possession of, BPC (or its representatives, service providers). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of BPC or any other person in respect of an individual.
2. Why we process Personal Data
2.1
BPC invests in venture and growth capital, capturing value through financing the growth of innovative companies. We focus on investing in both fixed term and evergreen funds and will consider co-investment alongside our portfolio funds. We only invest in commercially viable funds. Our role is to enable the best fund managers to effectively execute their planned investment strategy. We achieve that through anchoring, enabling first close, or boosting a fund to achieve optimal size. Through its long-term co-investment strategy, BPC also invests directly, alongside its fund managers, in the most promising later-stage companies in its underlying portfolio. BPC has also launched Future Fund: Breakthrough, a new £375m UK-wide scheme which encourages private investors to co-invest with BPC in high-growth innovative firms.
2.2
To do this, we process Personal Data that you may provide to us directly or which we collect from third parties or from our websites.
2a. Information you may provide to us and which we may collect for or through our programmes
| No. | Purpose | Personal Data Processed | Lawful Basis |
|---|---|---|---|
| 1 | Applying for a job or secondment, internship or being engaged as a contractor | We need your name, address, employment history, and whether you currently have the right to work in the UK or if you would require sponsorship in order to obtain that right.
Background checks are completed for all candidates that receive an offer of employment. We use employment agencies to carry out these checks on our behalf, which include Disclosure and Barring Service (DBS) checks, credit checks, employment references, proof of address, and online presence and social media screening. For some roles, for example: Non-Executive Directors and Executive Committee members, we also complete a directorship check. If you become an employee, our employee privacy notice will then apply. |
Article 6(1)(b) processing to take steps to entering into a contract
Article 9(2)(b) and the Data Protection Act Schedule 1, Part 1(1) for special category data relating to our employment obligations Article 6(1)(c) to comply with legal obligations of the Equality Act 2010 Article 6(1)(e) processing under public task, and Article 9(2)(g) with the Data Protection Act Schedule 1 part 2 paragraph 6(2)(a) for criminal offence information. |
| 2 | Make an enquiry or complaint | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you. | Article 6(1)(e) processing under public task |
| 3 | Make an information request under the Freedom of Information Act, Environmental Information Regulations or data protection law | We need your name and contact details and details of the matter being raised, to be able to investigate and reply to you | Article 6(1)(c) legal obligation |
| 4 | Attending an event or workshop, collecting your business contact details | We may need your name, organisation and contact details to book your place or attendance.
When we organise or attend events, we may also collect your business card or contact details for the purpose of adding you to our contacts list, so that we can email you about future events or to send you marketing materials. We always try to tell you of our intention when we collect the information and you can unsubscribe at any time from any marketing (see Section 8). |
Article 6(1)(a) consent where the information you provide is optional
Article 6(1)(e) processing under public task to achieve our objectives |
| 5 | Responding to a survey or market research | We usually need your name and contact details, especially if you want us to share the results.
Depending on the market research, you may also choose to provide us with more information, for example your own experiences, opinions, gender, ethnicity, etc. |
Article 6(1)(a) consent where the information you provide is optional
Article 6(1)(e) processing under public task to achieve our objectives Article 9(2)(a) consent where special category data is provided, e.g. gender, ethnicity, health, etc. |
| 6 | Subscribing to a mail newsletter | We usually need your name and email address. Your information will be added to a database or contacts lists, so that you will receive the newsletters.
You can unsubscribe at any time from any marketing (see Section 8). |
Article 6(1)(a) consent where the information you provide is optional |
| 7 | Fund Managers applying for investment from BPC | When applying for investment from BPC, you may provide personal data when you express an interest (name, contact details, proposal). If you proceed to the formal proposal and due diligence stages, we will also need to process information about your fund and fund management company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth of you and key personnel within your fund management company (e.g. partners, lead contacts, directors, shareholders, and individuals with a controlling interest).
As part of due diligence, we will use publicly available information and / or proprietary databases to obtain information about the fund management company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures.
We also collect information in respect of gender and diversity of our Fund Managers and investee companies.
We will continue to process information throughout our relationship with the fund manager. |
Article 6(1)(e) processing under public task // Article 6(1)(b) entering into, or performing, a contract
Article 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations Processing diversity information under
|
| 8 | BPC Direct Co-Investments | Under BPC’s co-investment programme, we will process Personal Data about your fund management company and investee company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your fund management company and investee company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest).
Under FF:B, we will process Personal Data about the lead investor and investee company, which depending on the nature of the interaction, may require you to provide names, addresses, contact details, proof of identity, biographies, signatures, financial details, source of funds and wealth, of you and key personnel within your company (e.g. lead contacts, directors, shareholders, and individuals with a controlling interest). As part of due diligence, we will use publicly available information and / or proprietary databases to obtain information about the company and its key personnel (Directors, beneficial owners, etc.) to verify identities and check for sanctions as part of our counter-fraud, counter terrorism and anti-money laundering measures. We also collect information in respect of gender and diversity of investee companies. Following the completion of the investment, we shall continue to process information throughout the relationship. |
Article 6(1)(e) processing under public task // Article 6(1)(b) entering into, or performing, a contract
Article 6(1)(c) processing under legal obligation to protect public money under the Anti-Money Laundering Regulations Processing diversity information under
|
| 9 | Providing details for case studies | We need your name and contact details to develop the case study about your/your company’s experience. | Article 6(1)(a) consent |
2b. General Business Activities
| No. | Purpose | Personal Data Processed | Lawful Basis |
|---|---|---|---|
| 1 | Business Improvements | We may process Personal Data as part of our work to develop, test, improve and evaluate our systems and processes.
The Personal Data processed will vary according to the specific activity, but will always be the minimum necessary. |
Article 6(1)(c) processing under legal obligation
Article 6(1)(e) processing under public task |
| 2 | Business Management & Operations | We process Personal Data every day to deliver our services, which includes complying with our policies; communicating with colleagues and stakeholders, managing our employees, contractors and suppliers; carrying out our legal, financial and regulatory duties, as well as our governance, risk management and audit functions.
The Personal Data processed will vary according to the specific activity, but will be the minimum necessary. |
Article 6(1)(c) processing under legal obligation
Article 6(1)(e) processing under public task |
| 3 | Cookies and website | The BPC website is part of the British Business Bank website.
Data is collected when you visit our web pages, which may include, amongst other things; traffic data and communication data, for the purpose of improving our website performance, system administration and to evaluate use of our websites. We use cookies and similar technologies to distinguish you from other users of these sites. Further information about the cookies used is available in our Cookie Policy. |
Article 6(1)(a) consent for the cookies that are not strictly necessary |
| 4 | Market Research | We may commission market research to better understand the finance markets or how our programmes have been received or how we can deliver services to smaller businesses or the different segments of the market, for example looking at equality.
We may commission a provider to carry out surveys or consultations on our behalf who will then provide us with aggregated anonymous results. On some occasions, we may be required to give the provider Personal Data to enable the initial contact to be made to determine if you are willing to take part in the survey or consultation. |
Article 6(1)(f) processing is in our legitimate interests |
3. Automated decision making
3.1
We do not currently make any automated decisions about you. However it is possible automated decisions or profiling do occur with cookie and other similar technology that are enabled our websites. If you believe you have been subject to automated decision making or profiling, you have the right to contact us and ask for a manual review (please see our contact details in Section 11).
4. How we safeguard Personal Data
4.1
We will keep Personal Data secure by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, loss, destruction, or damage.
4.2
We have extensive controls in place to maintain the security of our information and information systems, which include encryption, information classification, anonymisation, and pseudonymisation. Client files are protected with safeguards according to the sensitivity of the relevant information and access controls are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed, or stored is limited to authorised employees.
4.3
BPC’s employees are required to follow all applicable laws and regulations, including in relation to data protection laws. Access to Special Category Data (sensitive Personal Data) is limited to those who need to it to perform their roles. Unauthorised use or disclosure of Personal Data is prohibited and may result in disciplinary measures.
4.4
When you contact us about a matter, you may be asked for some Personal Data, to help us verify your identity and entitlement to the Personal Data we hold.
5. How long we keep Personal Data
5.1
We keep Personal Data for as long as necessary for the purpose for which it is processed. We typically keep information for a minimum of six years from the last action, for example when an investment ceases, file closure, contract end, etc.
6. Where we transfer Personal Data to
6.1
We do not routinely transfer Personal Data to, or store it, outside the European Economic Area (“EEA”).
6.2
If we do transfer Personal Data outside of the EEA, we shall ensure that it is protected and transferred in a manner consistent with legal requirements and in accordance with adequacy agreements and / or additional safeguards (i.e. contractual clauses).
7. Sharing Personal Data
7.1
We may share your Personal Data within the British Business Bank and its subsidiaries for the purposes described above.
7.2
We may share your Personal Data with Government departments, public-sector bodies and other associated Partner organisations for the purpose of scheme administration, market analysis, research and data analysis and analytics, for example including, but not limited to: HMRC, BEIS, Cabinet Office, HM Treasury, UK Finance, Financial Conduct Authority, Prudential Regulation Authority, NATIS, National Crime Agency, Bank of England, Office of National Statistics.
7.3
We may also share Personal Data if we are required or permitted to do so by applicable law, regulation or legal process, for example including (but not limited to) HMRC for payroll or tax purposes; Financial Conduct Authority, Financial Ombudsman Service, Information Commissioner’s Office as independent Regulators; Health and Safety Executive to report health and safety matters; with the UK Government and / or the European Commission to comply with the UK’s international subsidiary reporting requirements and / or State aid laws.
7.4
We may also share Personal Data to help prevent or detect crime (including data analytics) or apprehend or prosecute offenders; to prevent physical harm or financial loss to us, or one of our subsidiaries, colleagues or stakeholders; to establish, exercise or defend our legal rights; in connection with an investigation of suspected or actual fraud, illegal activity, or any security matters.
7.5
Where we contract any part of our business operations or functions that involve the processing of Personal Data, we have contractual clauses to ensure the Personal Data is processed in accordance with data protection requirements. Our contracted providers include (but are not limited to) IT and communication providers; market research; data analysis; accountants; auditors; etc. A list of our key contracted providers is available on Contracts Finder.
8. Marketing
8.1
We may use your Personal Data to provide you with marketing information that you request or that we consider may interest you, by post, email and/or telephone (including SMS) as follows:
- If you are an existing customer or have taken steps to become a customer by using the Websites or contacting us, we may contact you by post, email and/or telephone (including SMS) with information about products and services which are similar to those we previously provided to you, unless, at the time we collect your contact information, you have indicated that you do not want to receive marketing information; or
- If you are a new customer, we may contact you by post, email and/or telephone (including SMS) if you have consented to receiving such information.
8.2
We will not pass your Personal Data to third parties for their marketing purposes.
8.3
We operate an integrated communications programme, which means we use your Personal Data to communicate with you through several different channels; including direct mail and email. Our aim is to keep you up to date with information you have expressed an interest in.
8.4
If you no longer wish to receive marketing communications from us, you can ‘opt out’ of them at any time. You will be able to change your preferences by clicking on the relevant link at the bottom of any marketing emails you may receive. You may also ask us at any time not to use your Personal Data for marketing purposes by contacting us via the methods listed in the ‘How to contact us’ section below.
9. Confidential information
9.1
Under the Freedom of Information Act 2000, we are only permitted to protect information that is actually confidential in law and where, if we were to disclose it, we could be sued for breach of confidence.
9.2
Information you give us which you may consider confidential, or may mark as confidential, may in fact not be confidential in law. However, in respect of any information we receive from you that is truly confidential, we will take steps to ensure it remains confidential.
9.3
Unauthorised disclosure or misuse of confidential information by our employees may lead to disciplinary action.
10. Data subject rights under Data Protection Legislation
10.1
Data protection provides rights to data subjects; these rights are listed below and you can exercise them by contacting us using the details in Section 11.
Consent
If we are processing your Personal Data on the basis of consent, for example you have subscribed to our mailing list, you have the right to withdraw your consent at any time, and expect us to carry out your wishes promptly.
The right of access
The right to request access to the Personal Data we hold about you, subject to exceptions.
The right to object
Where you have actively provided your consent for us to process your Personal Data, the right to withdraw your consent at any time, for example to be removed from our marketing lists. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason (other than consent) for doing so.
The right of data portability
In some circumstances, the right to receive some Personal Data in a structured, commonly used and machine-readable format and/or request that we transmit such data to a third party where this is feasible. Please note that this right only applies to Personal Data which you have provided to us.
The right to rectification
The right to correct any errors in Personal Data we hold about you, and to change or correct any details you have already given us.
It is important that any contact data you provide is kept accurate and up to date so that we can contact you should we need to.
The right to erasure
The right to request that we erase your Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data where we are legally entitled to retain it.
The right to restrict processing
The right to request that we restrict our processing of your Personal Data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your Personal Data where we are legally entitled to refuse that request.
Automated decision making and profiling
The right to know what automated decisions are made about you and the reasons why and to ask for a manual review of that decision if it affects your legal rights or other equally important matters.
The right to object to profiling in certain situations, for example direct marketing.
For more information about your data rights, please see the Information Commissioner’s website at ico.org.uk/your-data-matters.
11. How to contact us
11.1
If you have any questions or comments regarding how we handle your Personal Data, you can contact us or our Data Protection Officer at:
BBB: DataProtection@british-business-bank.co.uk or write to the British Business Bank, Steel City House, West Street, Sheffield, S1 2GQ.
BBB Data Protection Officer: dpo@chaucer.com, Chaucer Group, Northern and Shell Building, 10 Lower Thames Street, London EC3R 6EN.
11.2
In the event that you would like to lodge a complaint relating to our use of your Personal Data you can do so by contacting the Information Commissioner’s Office:
Web: https://ico.org.uk/global/contact-us/
Email: casework@ico.org.uk
Phone: 0303 123 1113
