Find out how and why we use your personal data, and how this applies in different aspects of our work.
On this page 
This privacy notice outlines the FCA’s operational and core activities as a data controller, where we are responsible for the collection and use of personal data. It also provides details about your rights and information about contacting us.
In most cases, individuals can exercise their rights in relation to the personal data we process as set out below. We allocate responsibilities between the joint controllers and, if necessary, notify or redirect individuals to other controllers in relation to exercising their individual rights.
To learn more about how we use personal data in connection with our regulatory and operational activities, please visit the links below.
- our use of cookies
- personal data used when you contact us
- personal data and handling complaints about us
- personal data and authorisation
- personal data and enforcement
- personal data and market oversight
- personal data and supervision
- personal data and the Financial Services Register services
- personal data and surveys, consultations and market research
- personal data and communicating FCA news and events
- our whistleblowers page explains how we handle information provided by whistleblowers
- to learn how we handle personal data for job applications, read our Recruitment Privacy notice
- if a film on our website includes public place footage, we ensure that the footage only captures people in the background who are not identifiable. For other videos, we obtain permission from everyone appearing, which includes FCA research participants, vox pop interviews, conferences, and webinars.
How we use your personal data
In addition to the uses of your personal data set out in our privacy notices (links above), as a data-led regulator, we may process your personal data using various analytical tools and advanced technologies, such as machine learning and artificial intelligence. This helps us to use our resources efficiently. This includes both internally developed tools and IT services provided by third parties through the cloud. We may also use your personal data in the development and testing of these tools.
The FCA may at times process personal data as a joint controller (such as, under section 166 of FSMA, where we make joint decisions around processing personal data with Skilled Persons or with the Prudential Regulation Authority (PRA)) or as a separate controller (where we share personal data) with other authorities (such as the PRA).
International transfers of personal data
Where the processing of personal data requires a transfer to other countries outside the UK, we will ensure that necessary safeguarding and protections are in place as set out by the UK GDPR and Data Protection Act 2018 and guidance issued by the Information Commissioner’s Office, such as checking the applicable adequacy regulations and implementing robust contractual and security safeguards with third-party recipients of personal data in compliance with the UK data protection law.
Data retention
Our retention policy sets out how long we hold all information, including any personal data used for each of the areas mentioned in this privacy notice.
Your rights
Under the DPA 2018 and the UK GDPR, you have rights you can exercise in relation to the personal data we hold about you. For example, you can exercise your right to:
- request access to, and deletion or correction of, information about you
- object to the way in which we use information about you
- request that your personal data be transferred to another organisation
- complain to the Information Commissioner’s Office if you are unhappy about the way we use information about you
Individual rights request form
If you wish to find out what personal data, if any, we hold about you or if you wish to exercise any of your other privacy rights, you can contact our Information Disclosure Team. To enable us to process your request as quickly as possible, we will need you to provide us with some information about yourself. You may find it helpful to complete our individual rights request form.
If we hold information about you
If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be or has been disclosed to
- tell you how long we intend to keep the information
- tell you where we obtained the information (if not from you directly)
- tell you if any significant automated decisions (those made by a computer and with no human intervention) have been made about you by us
- let you have a copy of the information in an intelligible form
If you notice any mistakes in the information that we hold about you, you can ask us to correct those mistakes. You can also ask us to stop holding or using information about you, which we will do unless we have genuine and lawful reasons for continuing to hold or use it.
As a public authority, and a regulator who exercises functions of a public nature or in the public interest, we are entitled to rely on certain exemptions set out in the DPA 2018 which may have an impact on any rights request that you may make to us. If this is the case, we will clearly explain what the exemption is, why it applies and what impact it may have on your rights request. Also, if we are processing personal data for a law enforcement purpose, we may withhold information from you if we believe that doing so is necessary to avoid prejudicing the detection and investigation of criminal offences.
Find out more about your privacy rights
If you are interested in learning more about your privacy rights, you can find more information on the ICO website.
How to contact us
This privacy notice covers all the main ways that we use the various types of personal data we may hold about you, to make sure that we are as transparent as possible and to avoid using your information in a way that would surprise you.
If you feel that we have missed anything that you would like to know, or you have any particular questions about our privacy policy, you can email us or write to: Information Disclosure Team, Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN.
When you contact us and / or when we contact you
We use personal data to fulfil statutory functions and other duties. This may include recorded phone and video calls, written notes, and digital copies. Depending upon our statutory and operational requirements, we may be required to keep written/digital notes and recordings to maintain an accurate record of information to support our work and aid our decision-making; these will be retained in accordance with our retention schedule. Please note that recorded phone and video calls, written/digital notes, and any other data processed by the FCA may also be processed by third party data processors performing services for the FCA under contract.
Our Data Protection Officer
As a public authority we are required to appoint a Data Protection Officer (DPO) who oversees our internal data protection compliance, informs and advises us on our data protection obligations, advises us on our data protection impact assessment process and acts as our contact point with the Information Commissioner.
Please email our team if you would like to contact our DPO.
Glossary of terms used in this privacy notice
| DPA 2018 | The Data Protection Act 2018 |
| UK GDPR | The General Data Protection Act Regulation as it applies in the UK |
| ICO | The Information Commissioner’s Office |
| LED | The Law Enforcement Directive (EU) 2016/680 |
| Data Controller | A person or organisation who determines the purposes and way any Personal Data is being or is to be Processed. |
| Joint Data Controllers | When the FCA and the other organisations (legal entity acting as a controller) ‘jointly’ decide the purposes and means of processing personal data for the same or shared purposes. |
| Data Processor | A natural or legal person, public authority, agency, or other body which Processes personal data on behalf of the controller. |
| Personal data | When we refer to personal data, we mean any information about a living identifiable individual who can be directly or indirectly identified from that information. |
| Process or Processing or use (of Personal Data) | Processing means any action taken with personal data from the point of collection, use or reuse for a purpose, storage, sharing, erasing until secure disposal of it. Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. This includes, but is not limited to, any Processing of Personal Data for Law Enforcement Purposes. |
| Pseudonymise | The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their 'real world' identity. |
| Anonymise | The process that does not itself identify any individual and that is unlikely to allow any individual to be identified through its combination with other data. |
| Special categories of data | The special categories of data are specifically listed in the UK GDPR. They include race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or information about a person’s sex life or sexual orientation. Previously referred to as 'sensitive personal data' |
Changes to this privacy notice
We keep our privacy notice under regular review. See 'last updated' at the top of the page for the date of the latest update.