Collaboration is the name of the twenty-first-century game. Whether it’s partnerships, alliances, referrals or simply working together – in the financial services sector or across wider markets – collaborations open doors of opportunity for firms and customers. But data protection requirements loom large.

Take the following example: a mortgage lender refers borrowers seeking a second mortgage to a broker or to a second-mortgage lender direct. Or a credit card issuer could refer declined applicants to an issuer specialising in applicants with that credit profile. And a financial institution might offer savings or non-financial products to customers through its partners.

But the way in which these options are presented to customers is crucial for data protection purposes. A customer choosing to contact a partner from a selection on a firm’s website is very different from a firm making proactive introductions and referrals. These almost certainly involve processing of personal data which must fall within one of six lawful bases: consent; contract; legal obligation; vital interests; public task; and legitimate interests. It’s unlikely that the bases of legal obligation, vital interests and public task will be relevant in the case of introductions and referrals, which leaves consent, contract and legitimate interests. However:

  • Relying on contract requires processing of personal data to be necessary for a contract the referrer has with the customer or because the customer has asked the referrer to take specific steps before entering into a contract. The type of referral, introduction and similar arrangement we’re looking at here is unlikely to fall within these criteria.
  • Relying on legitimate interests depends on the processing of personal data being necessary for the referrer’s legitimate interests or those of a third party (unless there’s a good reason to protect the customer’s personal data that overrides those legitimate interests). My view is that it will be hard for a referrer to rely on legitimate interests to transfer a customer’s personal data to a partner, collaborator or similar person.

That leaves consent, which must be clear consent from the customer for the referrer to process their personal data for a specific purpose. In practice, this requires informed consent to be obtained from the customer in the context of the specific referral, introduction or other transfer of the customer’s personal data before any personal data are transferred. This should be a procedural step that can be built into the referral, introduction or partnership arrangements but the appropriate consent must be obtained.

The Financial Conduct Authority will also be interested in how customer information is handled and the steps taken to protect customers’ personal data as indicators of a firm’s culture, as well as evidence of data protection compliance. Collaboration might be the name of the game but protection of customer data comes first.


The blog and all entries on it are intended to provide general information about recent and expected items that might be of interest.  Neither the blog nor any entry provides or constitutes, or purports to provide or constitute, advice relevant to any particular circumstances.  Legal or other professional advice relevant to any particular circumstances should always be sought.

This entry was posted in Ruth's Blog and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.