1. Who are we?
GBB is the trading name of The Model T Finance. Our data protection registration is ZA503192, which is renewed annually.
The Model T Finance Company Limited is the data controller and has overall responsibility for your personal data (collectively referred to as “Model T”, “we”, “us” or “our” in this Privacy Notice).
We have appointed a data protection officer, DPO, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your information rights, please contact our DPO using the details set out below.
Postal address: Data Protection Officer,
2. Purpose of this Privacy Notice
We respect an individual’s right to privacy and to the protection of their personal data. The purpose of this privacy notice is to explain how we collect and use personal data in connection with our business.
Personal data means any information about a living individual, who can be identified from that information, either directly or indirectly, e.g., when combined with other data.
This website is not intended for children as we will not be offering our services to anyone under 18 years of age.
3. What personal data do we collect about you?
We process your personal data in order for us to engage with you, the personal data processed will be dependent on the product you enquire about or apply for. We also have a legal obligation to prevent fraud and money laundering. We may therefore, collect, use, store and share the following personal data:
Where we need to collect personal data by law, due to the terms of a contract we have or are entering into with you, and you fail to provide that data when requested, we may not be able to perform the conditions of the contract. In this case, we may have to cancel the product or service you have with us. We will notify you if this is the case.
We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
4. How is your personal data collected?
We use different methods to collect data from and about you, these being:
You may give us your identity and contact details by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
Automated technologies or interactions:
Third parties or publicly available sources:
We may receive personal data about you from various third parties and public sources as set out below:
5. How will we use your personal data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
6. For what purpose do we use your personal data?
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which legal basis we rely on. We have also identified what our legitimate interests are where appropriate.
We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact our data protection officer DPO@thegbb.co.uk if you need further information on the legal basis for processing your personal data.
|Purpose/Activity||Type of data||Lawful basis for processing your data|
|To register you as customer of our services||
|Processing data relating, including sharing, which may identify criminal activity in order to stop and detect crime, to obey laws relating to money laundering, fraud, and terrorist financing.||
|To manage our relationship with you which will include but is not limited to:
|To enable you to complete a survey||
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||
|To deliver relevant website content to you||
|To use data analytics to improve our website, services, marketing, investor relationships and experiences||
|To make suggestions and recommendations to you about services that may be of interest to you||
7. Change in purpose?
We will only use your personal data for the purpose(s) for which we collect it, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us on DPO@thegbb.co.uk.
If we need to use your personal data for an unrelated purpose, where possible we will notify you to explain the legal basis which allows us to do so. However, we can process your personal data without your knowledge or consent, where it is permitted by law.
8. Will we share your personal data?
We may need to share some or all your data with third parties, however this will only be to the following third parties and under the following circumstances:
Law enforcement and other external parties:
Credit reference agencies:
Credit reference agencies (CRAs) give lenders information about borrowers to help them make responsible lending decisions. Banks share details about their customers to help CRAs maintain up-to-date information about people’s financial status.
When you sign up and for as long as you’re a customer, we’ll exchange details about you with CRAs. This includes:
Fraud prevention services
When you apply for an account the personal information, we collected from you will be shared with fraud prevention agencies, like Cifas, who will use it to verify your identity. If you are seeking to use our lending services, fraud prevent agencies will also use your data to prevent fraud and money laundering. Further details of how your information will be used by fraud prevention agencies, can be found at Fair Processing Notices for Cifas’ Databases | Cifas
Once you have opened an account with us, we may process your personal information in systems that look for fraud by studying patterns in the data. This may indicate that there is a risk that fraud or money-laundering may be occurring against a customer or the bank. If we or a fraud prevention agency notice that an account is being used for fraud or money laundering, we may stop activity on your account or block access.
Third parties working on behalf of GBB:
We will share your data with third parties who are acting on our behalf and are referred to as data processors i.e., contractors (including sub-contractors). Some of our data processors are based outside of the UK however they are all within the European Economic Area, EEA. We do not allow our data processors (including sub processors) to use your personal data for their own purposes, they are only permitted to process your personal data for a specified purpose(s) and in accordance with our instructions.
Your personal data may also be shared with professional advisers acting as data processors or joint controllers, these include lawyers, bankers, auditors, and insurers based within the UK and the EEA.
9. How do we store and transfer your personal data?
We will process and store your personal data on servers managed by our hosting providers, who we refer to as data processors.
The hosting servers are cloud based with some being hosted outside the UK, but within the EEA. We will only allow your personal data to be hosted by our data processors if we are assured that they will protect your data as we do and in accordance with the applicable law, i.e., Data Protection Act 2018 and the General Data Protection Regulation, GDPR.
GBB will not transfer your personal data outside the EEA, however fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place. Cifas has published more information about data transfers.
10. Automated decision making
Automated decision-making is the process of making a decision by solely automated means i.e., without any human involvement.
We may complete automated decision making when you request to open a savings account with us. This will be done by gathering information from you and third parties i.e fraud prevention agencies, which is then used to complete identity verification and anti-fraud checks. However, if we believe the checks, we have completed may lead to us refusing you a savings account then we will have a member of staff review the information gathered and make the decision on your application.
GBB do not complete automated decision making on applications for lending.
11. Consequences of processing
If when completing background checks, we or a fraud prevention agency detect fraud or decide that you pose an unacceptable level of fraud or money-laundering risk, you may be refused our services and it could also result in other organisations refusing to provide you their services, financing, or employment. Further details of how your information will be used by fraud prevention agencies, and your data protection rights, can be found by Fair Processing Notices for Cifas’ Databases | Cifas
Those checks which help us identify fraud or money laundering include but are not limited to.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, who can hold your information for different periods of time. If you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
We strive to provide you with choices regarding the use of some of your personal data. Particularly around marketing and advertising.
We may use your identity, contact, technical usage, and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products and services may be relevant for your circumstances; we call this marketing.
You will receive marketing communications from us if you have requested information from us or invested with us. You can “opt out” of receiving marketing material at any time by contacting us at DPO@thegbb.co.uk.
We do not participate in third-party marketing and will therefore never share your personal data with any company outside of The Model T Finance. However, if we do decide to participate in third-party marketing in the future, we will seek your “consent” before sharing your personal data for this purpose.
How long do we keep your information for?
We will not retain your personal data for longer than is necessary for the purpose described in this privacy notice.
Regulatory requirements dictate that we should keep your personal data for seven years following the closure of your account, however in certain circumstances we may have to store your data for a longer period.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. We may therefore use this information indefinitely without further notice to you.
If we, or a fraud prevention agency believe that you pose a fraud or money laundering risk not only may we refuse to provide our services or products but a record of any fraud or money laundering risk may also be retained by the fraud prevention agencies and could result in other financial companies refusing to provide you with their services and products.
13. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business “need to know”. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
14. Your legal rights in relation to your personal data
The Data Protection Act 2018 and the UK General Data Protection Regulation, GDPR, provides a number of rights for individuals over their personal data. These being:
Right to be informed – This places an obligation on us as a data controller to tell you how we obtain your personal data and describe how we will use, retain, store, and share it with. We have written this Privacy Notice to explain how we will process your personal data and advise you what your rights are under data protection law.
Right of access – This is commonly known as subject access and is the right which allows you access to your personal data and to supplementary information. This right is subject to certain restrictions.
Right to rectification – You have the right to have your personal data rectified if it is inaccurate or incomplete.
Right to erasure – The right to erasure is also known as the “the right to be forgotten”. This right enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Right to restrict processing – You have the right to request your personal data be “blocked” or suppressed. When processing is restricted, organisations are permitted to store personal data but not to further process it.
Right to data portability – This allows you to obtain and reuse your personal data for your own purposes across different services.
Right to object – You have the right to object to the processing of your personal data under certain circumstances, these being:
Rights relating to fully automated decision making – Fully automated individual decision making, is a decision made by automated means without any human involvement.
Individuals have the right not to be subject to automated decision making if to do so would impact on their rights or freedoms unless it is based on one of the following criteria:
In all cases you have the right to request a human review of any fully automated decision.
15. Making an information rights request
If you wish to exercise any of the rights set out above, please contact us via DPO@thegbb.co.uk.
Please provide us with as much information as you can this will help us process your request as quickly as possible. We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
You will not normally be required to pay a fee to access your personal data, or to exercise any of your other information rights, however we may charge a reasonable fee if your request is considered as manifestly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will advise you as soon as possible if this is the case and explain our reason why.
We will provide you with an outcome to your request within one calendar month. In certain circumstances we can extend the time period to respond to your request by a further two calendar months. This will be when the request is complex, or we have received a number of requests from you. We will inform you as soon as possible if we are extending the time limit and provide an explanation why.
16. Lawful basis explained
|“Legitimate Interest”||Means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.|
|Performance of “Contract”||Means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.|
|Comply with a “legal or regulatory obligation”||Means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.|
17. Changes to the privacy notice and your duty to inform us of changes
We may update our privacy notice from time to time, the updated privacy notice will be published on our website. It is important that you visit our website regularly to stay informed as to how we process your personal data and to understand your information rights under the Data Protection Act 2018 and the UK General Data Protection Regulation, GDPR.
It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
18. Information Commissioner
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk or call them on 0303 123 1113). However, we would appreciate the opportunity to deal with your concerns before you approach the ICO. Please contact our data protection officer on DPO@thegbb.co.uk in the first instance.
This version of our privacy notice was last updated August 2021.