Privacy statement

Last updated: September 2023

Bacs Payment Schemes Limited (Bacs) understands the importance of protecting your personal information.

This privacy policy sets out what personal information we collect and use and your rights in relation to your personal information, when you interact with us as a user of our Direct Debit automated payment service which we provide in partnership with payment service providers such as your bank or building society or visit our website www.directdebit.co.uk.

If you need any further details, have a query or complaint about our use of your personal information, please contact our Data Protection Officer:

by email at DPO@wearepay.uk or
by post at 2 Thomas More Square, London, E1W 1YN.

We review our privacy policy regularly. Where the policy has been updated this will be clearly identified by reference to the date of the policy above.

Where we provide links to third party websites, we accept no liability for the privacy practices or content of these website.

Direct Debit payments

When you choose to make a payment by Direct Debit, Bacs uses your name, sort code and account number to perform the Direct Debit automated payment in accordance with your instructions. Your personal information is shared with us by your bank or building society as set out in their privacy policy.

If you are unable to provide this personal information we are unable to perform your Direct Debit automated payment.

Visiting our website

When you visit our website, we place cookies on your device (e.g. computer hard drive, mobile phone) which collect unique identifiers relating to your device automatically. We do this so that we can improve our website’s functionality and performance. For example, enabling the site to load quickly, remembering you have been shown a one off message etc.

Our cookie policy has more detail.

Contacting us

If you choose to contact us using the email address provided in the How to Complain or Contact us sections of our website, or the DPO contact details above, we will collect and process your personal information so that we can deal with your query.

Who do we share your personal information with?

So that we may provide our Direct Debit service and deal with any queries or complaints you may have, we share your personal information with the following:

Payment service providers such as your bank or building society and collecting organisations so that your Direct Debit instruction is completed; and
Our key infrastructure supplier, who processes your payment instruction.

In relation to the performance and operation of our website we share your personal information with the following third party service suppliers who support the delivery of this service in accordance with the contractual arrangements we have in place with them:

Website hosting supplier
Website development and maintenance agency
Consultants who provide website management support.

Where required by law or competent authority we may also share your personal information with regulators, courts, government departments and law enforcement agencies. We will inform you of this before we share your personal information unless we are legally prevented from doing so.

We do not, nor do any of the third party service suppliers with whom your personal information is shared by us, transfer any of your personal information outside the European Economic Area.

How long do we keep your personal information for?

Your personal information is kept in accordance with our data retention policy which categorises personal data and applies retention periods according to use. Retention periods are determined by reference to applicable data protection laws and the purpose for which the personal information was collected and is used. Legal and regulatory retention requirements, contractual obligations and limitation periods are also part of the retention period determination process.

Personal information processed to perform your Direct Debit automated payment is kept for 7 years from the last date that it was processed. This means that if you make the same automated payment at regular intervals e.g. monthly, annually, we keep your personal information for 7 years from the date of each one of those payments.

How we protect your personal information

We understand the importance of ensuring our systems are secure from unauthorised access, use or disclosure so that emails and forms that contain your personal information are safe. It has internal policies, procedures and controls in place to ensure this.

Your rights

The law entitles you:

To request and receive a copy of any of your personal information which we have collected
To request that we correct and / or complete personal information we have collected
To request that we permanently delete, stop using or storing any of your and / or restrict our use of your personal information when we no longer need it for the purpose you provided it to us
To object to the processing of your personal information by us unless we can demonstrate that we need to continue processing it
In some circumstances to request that we transfer your personal information to a third party.

If you would like to exercise any of these choices, please get in touch via our Data Protection Officer using the details above. Where we have shared your personal information with other companies, we will let them know if you exercise any of these choices.

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner who can be contacted at www.ico.org.uk or by telephone on 0303 123 1113.