Our privacy notice explains how and why we use your personal data.
Our privacy notice informs you of what to expect when the Financial Conduct Authority (FCA) collects information about individuals (which we will call ‘personal data’ in this privacy notice). The FCA is the controller responsible for the processing of your personal data.
To help you understand how we use personal data across the FCA, in this privacy notice we explain core activities that we undertake and how we may use the personal data that we collect to carry out these activities. We also provide information about your rights and how to contact us if you have any questions.
The FCA may at times process personal data as a joint controller (such as, under section 166 of FSMA, where we make joint decisions around processing personal data with Skilled Persons or with the Prudential Regulation Authority (PRA)) or as a separate controller (where we share personal data) with other authorities (such as the PRA).
In most cases, individuals can still exercise their rights in relation to the personal data we process as set out below. Where we will allocate responsibilities between the controllers and we will, if necessary, notify or redirect individuals to other authority or controller, in relation to exercising their individual rights.
To learn more about our use of personal data in different aspects of our work, please use the below links:
our whistleblowers page explains how we handle information provided by whistleblowers to learn how we handle personal data for job applications, read our Recruitment Privacy notice if we feature a film on our website that includes footage that has been filmed in a public place, we make sure that the footage only captures people in the background and that they are not identifiable. For all other forms of video, we obtain express permission from everyone who appears in our films which includes people participating in FCA research, vox pop interviews, conferences and webinars.
The Financial Services Register is a public record that shows details of firms and individuals which are, or have been, regulated or approved by us and/or the PRA. It also includes information about firms that were regulated by the Financial Services Authority (the predecessor organisation to the FCA) but ceased to be regulated before April 2013.
The majority of the information on the Register is about the firm’s business, such as what it does and how it can be contacted, but some personal data about the firm’s employees and former employees who are or were required to be approved by us (or the PRA) is also included (these are called Approved Persons).
The Register now also features data about individuals carrying out specific roles in UK financial services, including certain roles we do not approve such as financial advisers, traders and portfolio managers. It also includes additional directors who are not performing Senior Management Functions (SMFs) – both executive and non-executive. For further information read our Policy Statement (PS19/7).
We are required by law to make this information publicly available and extracts of the Register can be purchased for a fee.
We process this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018.
Independent investigations and reviews consider the FCA’s actions, policies and approach during the conduct and discharge of our regulatory responsibilities. These investigations and reviews are often undertaken by appointed individuals, independent of the FCA. These can be conducted as a result of a direction from HM Treasury under section 73 or 77 of the Financial Services Act 2012, or commissioned on the FCA’s own initiative. HM Treasury also has powers to arrange independent inquiries. We set out to be as open and accountable as possible and further information can be found on our transparency pages.
Where it is appropriate to do so, we may share personal data as part of these investigations with any appointed independent reviewer and professional advisors. This personal data may originate from public sources as well as information we have collected in the discharge of our other functions, such as complaints handling and the supervision of regulated firms and individuals. When the independent investigation or review has been completed, we may also publish part or all of that report, which may contain personal data related to certain individuals. Where the report has been produced as a result of a direction by HM Treasury under the Financial Services Act, the FCA will provide the report (which may include personal data) to HM Treasury. HM Treasury will publish the report. Such personal data may include names, references to employment positions held, actions taken by and communications with such individuals.
For the independent investigation into the regulation by the FCA of London Capital & Finance Plc, HM Treasury and the FCA have determined that – for the purpose of providing the report to HM Treasury – they are joint controllers of any personal data contained in the report, and that (amongst other things) the FCA is responsible for complying with requests from data subjects (including subject access requests). A Protocol has been agreed for these purposes.
We process this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018. In the case of reports commissioned on the FCA’s own initiative, the FCA publishes the report using its guidance power in section 139A FSMA. Where the report is commissioned as a result of a direction by HM Treasury under the Financial Services Act, the FCA is under an obligation to provide a report to HM Treasury under section 79 of that Act.
To the extent that we use any special categories of personal data, we do so under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest) and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing.
Where the processing of personal data requires a transfer to other countries outside the UK (to the EU and outside the European Economic Area 'EEA'), we will ensure that necessary safeguarding and protections are in place as set out by the UK GDPR and guidance issued by the Information Commissioner’s Office, such as checking the applicable adequacy regulations and implementing robust contractual and security safeguards with third-party providers.
Our retention policy sets out how long we hold all information, including any personal data used for each of the areas mentioned in this privacy notice.
Under the DPA 2018 and the UK GDPR, you have rights as an individual which you can exercise in relation to the personal data we hold about you. For example, you can exercise your right to:
If you wish to find out what personal data, if any, we hold about you or if you wish to exercise any of your other privacy rights, you can contact our Information Disclosure Team. To enable us to process your request as quickly as possible, we will need you to provide us with some information about yourself. You may find it helpful to complete our individual rights request form.
If we do hold information about you we will:
If you notice any mistakes in the information that we hold about you, you can ask us to correct those mistakes. You can also ask us to stop holding or using information about you, which we will do unless we have genuine and lawful reasons for continuing to hold or use it.
As a public authority, and a regulator who exercises functions of a public nature or in the public interest, we are entitled to rely on certain exemptions set out in the DPA 2018 which may have an impact on any rights request that you may make to us. If this is the case, we will clearly explain what the exemption is, why it applies and what impact it may have on your rights request. Also, if we are processing personal data for a law enforcement purpose, we may withhold information from you if we believe that doing so is necessary to avoid prejudicing the detection and investigation of criminal offences.
If you are interested in learning more about your privacy rights, you can find more information on the ICO website.
This privacy notice covers all the main ways that we use the various types of personal data we may hold about you, to make sure that we are as transparent as possible and to avoid using your information in a way that would surprise you.
If you feel that we have missed anything that you would like to know, or you have any particular questions about our privacy policy, you can email us or write to: Information Disclosure Team, Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN.
As a public authority we are required to appoint a Data Protection Officer (DPO) who oversees our internal data protection compliance, informs and advises us on our data protection obligations, advises us on our data protection impact assessment process and acts as our contact point with the Information Commissioner.
Please email our team if you would like to contact our DPO.