Privacy notice for mortgages

‘Rothesay’ is the trading name for Rothesay Life Plc, an insurance company established in the UK with company registration number 06127279 and ICO registration Z1003678. We are authorised in the UK by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our registered office address is The Post Building, 100 Museum Street, London WC1A 1PB.

This privacy notice applies to all situations where we process personal data about any individual who has a mortgage over which Rothesay Life Plc has an economic interest.

We provide financing to lenders which they use to provide mortgages to homeowners like you. As a result, Rothesay will have an economic interest in your lender's mortgage agreement with you. Alternatively, lenders may choose to sell their economic interest in your mortgage to us in exchange for an agreed amount. Even though we do not provide a mortgage directly to you, we will process your personal data as a result of these arrangements to monitor performance of the loans in which we have an economic interest and check that you are not in breach of the terms of the mortgage.

We are a controller under data protection laws. This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you. 

This privacy notice contains information about:

• The personal data that we process as a controller
• Where the personal data has been obtained
• The reasons why we process your personal data and the lawful basis we use to do so
• The security measures that we have in place to keep your personal data secure
• The length of time we store your personal data for
• The organisations, or categories of organisation, with whom we might share your personal data
• International transfers of your personal data
• The rights you have under data protection laws in relation to our processing of your personal data

Please note that we may change this privacy notice from time to time.

To request a printed copy of this privacy notice please contact us using the contact details contained in the part of this privacy notice headed Contact details.

The categories of personal data we process include the following:

1. Homeowner's personal information: Personal data relating to the homeowner with a mortgage where we have a financial interest in the mortgage. Personal data in this category includes:

• Name
• Address
• Date of birth
• Marital status
• Gender

2. Mortgage information: Personal data relating to details of a homeowner’s mortgage and property. Personal data in this category includes:

• Property value
• Loan amount
• Joint/single loan
• Cash advance
• Loan to value ratio
• Additional information – if you are in breach of the terms of your mortgage, we will obtain more information about the reason for the breach from your lender in order to help determine what action to take

3. Sensitive personal data:This includes the processing of health data as part of an assessment to determine extenuating or exacerbating circumstances surrounding a breach of mortgage terms.

Personal data will usually be collected from your lender with whom you have signed a mortgage.

There will be instances where we collect personal data from other sources. This includes:

1. Tracing agencies and mortality screening companies

We engage tracing agencies to check whether we hold your correct address and status. The results of this tracing will be shared back with your lender.

2. Credit Reference Agencies

We may use credit referencing agencies to conduct due diligence activities before we provide financing to your lender. They may provide us with further personal data about you.

The table below provides details of the purpose and the lawful bases upon which we process personal data.

We may also process personal data including sensitive personal data to comply with other laws, regulations or criminal reporting requirements that we are subject to. This includes compliance with law enforcement agency procedures in connection with various investigations and compliance with any requirement to prevent or detect unlawful acts.

Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.

Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe.

We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.

We will only keep your personal data for so long as we reasonably require it and, in any event, only for as long as our internal rules and polices allow us in order to fulfil our business or legal and regulatory obligations. This will usually be six years from the end of our interest in the relevant mortgage (for example, six years from the date of redemption of the mortgage).

We share personal data with a variety of other companies to operate our business. However, we only share the personal data where necessary to help us satisfy one or more of the reasons for processing set out above.

We have detailed the types of companies with whom we currently share personal data below. The companies fall into two categories.

Processors with whom we share personal data

For these companies, we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. Processors with whom we share personal data:

1. Tracing agencies

We use these companies in order to check whether you are alive and whether your current address is your place of residence. The results of this tracing check may be shared with your lender.

2.  Property related service providers

We engage a number of companies to provide services relevant to the mortgages we have funded, including property valuation companies, auditors and due diligence providers.

3. IT service providers

Our main IT infrastructure and core software is provided by Goldman Sachs Group, Inc.. This means that personal data we process is stored on Goldman Sachs’ IT systems.

4. Other service providers to our business

Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.

Controllers with whom we share personal data

For these companies, we do not determine the purposes for which the personal data we pass to them is processed once it is shared. To understand how the other controllers process your personal data , you should refer to their privacy notices. Controllers with whom we share personal data:

1. Lenders

As we hold an economic interest in your mortgage, your lender provides mortgaging services to us, which involves the processing of your personal data. For example, they collect payments that are due from you under the terms of your mortgage and pass them to us.

You can request a list of lenders to whom we have disclosed your personal data using the details contained in the part of this privacy notice headed Contact details.

2. Group entities

We will sometimes need to share personal data with entities within the Rothesay group of companies for administrative purposes and as part of our internal financing arrangements.

3. Other loan providers like us

If we decide to sell our interests in certain of our loans to another provider, we will give your personal data to the actual or proposed purchaser of the economic interest in your mortgage.

4. Professional advisers

We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.

5. Regulators, law enforcement and auditors

We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply obligations imposed on us by laws and regulations.

Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.

If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.

Under certain circumstances, you have the following rights under data protection law:

• The right of access to personal data relating to you (known as Subject Access Requests)
• The right to correct any mistakes in your personal data
• The right to require us to delete your personal data
• The right to restrict our processing of your personal data
• The right to object to us processing your personal data, including for marketing purposes
• The right to have your personal data provided to another controller

How to exercise your rights

If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.

How to contact us regarding this privacy notice

You may want to contact us to:

• Ask any questions you have in relation to the information contained in this privacy notice
• Exercise any of your rights under the data protection laws
• Request a printed copy of this privacy notice printed in large print or braille
• Request an audio version of this privacy notice
• Make a complaint (see below)

To contact us you can email our Data Protection Officer (DPO) at dpo@rothesay.com or write to:

Data Protection Team, Rothesay Life Plc, The Post Building, 100 Museum Street, London WC1A 1PB

If you live within the European Union, you can also contact our European representative. Their details are as follows:

Address: Bird & Bird GDPR Representative Services SRL, Avenue Louise 235, 1050 Bruxelles, Belgium.

Or email: EUrepresentative.Rothesay@twobirds.com

How to make a complaint

If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.

We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office. The process for making a complaint to the Information Commissioner’s Office is available here: 

www.ico.org.uk/make-a-complaint

Their contact details are as follows:

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Or phone: 0303 123 1113

ico.org.uk