Privacy Statement

Penilee Credit Union General Data Protection Regulation Privacy Statement

1 Who is Penilee Credit Union

  • The statement of privacy applies to the personal information processes carried out by Penilee Credit Union.
  • Penilee Credit Union is the data controller with regards to the personal information processed in connection with the everyday activities of the credit union and the services we provide.
  • Penilee Credit Union is situated at 2135 Paisley Road West, Glasgow, G52 3JL. As a member you can also find out more on our website is penileecu.co.uk.
  • We at Penilee Credit Union respect your right to privacy. To this end we endeavour to protect your personal data using various tools and processes outlined within this privacy document. Any updates will be published on our website.

 

2 What Information do we process

2.1 As a financial institution we process various examples of personal information from when you join Penilee Credit Union throughout your relationship with us. Collection and processing of personal information will be limited to only such information that allows us to provide you our members with products, services and, legal obligations in line with core activities in accordance with General Data Protection Regulations (GDPR).  Personal information may include:

  1. A) Basic information such as name and address, date of birth and contact details;
  2. B) Financial information. Including account and transaction history;
  3. C) Information about you and family, this includes details of your next of kin, dependents, marital status and any contact details;
  4. D) Information in connection with your financial circumstances, for example proof of income, income and expenditure and borrowing history as a member of the credit union;
  5. E) Education and employment history;
  6. F) Services provided;
  7. G) Visual images captured such as photographs uploaded, copies of passports or CCTV images
  8. H) Online activity, such as logon details, IP addresses online profiles through interacting with us electronically such as our website or the CUanywhere app.

2.2 We may also process certain categories of information for specific and limited purposes such as fraud prevention, credit control and other financial crime such as money laundering. We will only process information within our statuary contractual, legal obligations, and or expressed consent by you the member. This may include:

  1. A) Information on racial or ethnic origin;
  2. B) Religious or philosophical beliefs;
  3. C) Trade Union Membership;
  4. D) Health details;
  5. E) Biometric information, for example fingerprint for use with CU anywhere app.

 

2.3 Where permitted by law we may process information with the aim of preventing criminal acts such as fraud or money laundering which may involve investigation from outside organisations (for example the police). It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between banks and with law enforcement and regulatory bodies.

 

3 How we obtain information

3.1 Your information is made up of all the financial and personal information we collect and hold about you/your employment and business. It includes:

  1. a) information you provide us;
  2. b) information that we receive from third parties – including third parties who provide services to you or us, fraud prevention or government agencies, and other banks (where permitted by law);
  3. c) information that we learn about you through our relationship with you and the way you operate your accounts and/or services, such as the payments made to and from your accounts (eg BACS);
  4. d) information that we gather from the technology which you use to access our services (for example location data from your mobile phone, or an IP address or telephone number); and
  5. e) information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.
  6. Your rights

4.1 We want to ensure you are aware of your rights relating to the personal information we process about you. We have described those rights and the circumstances in which they apply in the table below.

If you wish to exercise any of these rights, if you have any queries about how we use your personal information that are not answered here, or if you wish to complain to our Lead Information Officer, please contact us at 0141 891 8600.

4.2 Please note that in some cases, if you do not agree to the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain services to you (for example LPLS).

 

Table A – Your Rights

Rights Description
Access – You have a right to get access to the personal information we hold about you.

 

If you would like a copy of the personal information we hold about you, please write to:

 

2135 Paisley Road West
Cardonald
GLASGOW
G52 3JL

 

Or contact us at 0141 891 8600

 

For more information on how to get access to your information and the documents we need you to submit, please visit our website at:

 

http://www.penileecu.co.uk

Rectification – You have a right to rectification of inaccurate personal information and to update incomplete personal information. If you believe that any of the information that we hold about you is inaccurate, you have a right to request that we restrict the processing of that information and to rectify the inaccurate personal information.

 

Please note that if you request us to restrict processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.

Erasure – You have a right to request that we delete your personal information. You may request that we delete your personal information if you believe that:

 

• we no longer need to process your information for the purposes for which it was provided;

• we have requested your permission to process your personal information and you wish to withdraw your consent; or

• we are not using your information in a lawful manner.

 

Please note that if you request us to delete your information, we may have to suspend the operation of your account and/or the products and services we provide to you.

Restriction – You have a right to request us to restrict the processing of your personal information. You may request us to restrict processing your personal information if you believe that:

 

• any of the information that we hold about you is inaccurate;

• we no longer need to process your information for the purposes for which it was provided, but you require the information to establish, exercise or defend legal claims; or

• we are not using your information in a lawful manner.

 

Please note that if you request us to restrict processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.

Portability – You have a right to data portability. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have a right to receive the personal information you provided to us in a portable format.

 

You may also request us to provide it directly to a third party, if technically feasible. We’re not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.

 

If you would like to request the personal information you provided to us in a portable format, please write to or contact us at:

 

2135 Paisley Road West
Cardonald
GLASGOW
G52 3JL

 

 

Or contact us at 0141 891 8600

 

Objection – You have a right to object to the processing of your personal information. You have a right to object to us processing your personal information (and to request us to restrict processing) for the purposes described in Section C of Schedule A – Purposes of Processing (below), unless we can demonstrate compelling and legitimate grounds for the processing, which may override your own interests or where we need to process your information to investigate and protect us or others from legal claims.

 

Depending on the circumstances, we may need to restrict or cease processing your personal information altogether, or, where requested, delete your information. Please note that if you object to us processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.

Marketing – You have a right to object to direct marketing. You have a right to object at any time to processing of your personal information for direct marketing purposes, including profiling you for the purposes of direct marketing. For more information see Section 9.
Withdraw consent – You have a right to withdraw your consent. Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
Lodge complaints – You have a right to lodge a complaint with the regulator. If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO). For more information, visit ico.org.uk

 

 

5 Changes to the way we use your information

In very rare circumstances, the occasion may arise that it will be necessary to change how we process personal information. Where we believe you may not reasonably expect such a change we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account.

 

6 How we use and share your information with other Credit Unions.

All credit unions are independent although we operate with a similar ethos. With this in mind we will only use and share your information where it is necessary for us to lawfully carry out our business activities (for example, fraud prevention). Your information may be shared with and processed with other credit unions. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table in Schedule A – Purposes of Processing.

7 Sharing with third parties

7.1 We will not share your information with anyone outside Penilee Credit Union except:

  1. a) where we have your permission;
  2. b) where required for your product or service (For example, life Insurance);
  3. c) where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies (For example, HMRC);
  4. d) with other banks and third parties where required by law to help pay or recover funds from your account as a result of a contractual agreement or misdirected payment by such a third party;
  5. e) with third parties providing services to us, such as market analysis and benchmarking, correspondent banking, and agents and sub-contractors acting on our behalf, such as the companies which print our account statements;

8 Transferring information overseas

8.1 We may transfer your information to organisations in other countries on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

8.2 In the event that we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where:

  1. a) the European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately;
  2. b) the transfer has been authorised by the relevant data protection authority; and/or
  3. c) we have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected. If you wish to obtain a copy of the relevant data protection clauses, please contact us at 0141 891 8600.

9 Marketing & Communications about your account

At present we at Penilee Credit Union don’t produce newsletters or indulge in online marketing. Should we wish to market services provided in the future, we won’t, unless you have told us that you want to hear from us, we may in this instance send you relevant marketing information, or contacting you in relation to the operation and maintenance of your account by mail, phone, email, text and other forms of electronic communication. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us at any time by contacting us at 0141 891 8600, coming in to the shop, or satellite point.

10 Credit reference and fraud prevention agencies

10.1 Penilee Credit Union generally do not use credit reference agencies we prefer to operate and base our relationship with members on the basis of mutual trust. Should we in future access and use information from credit reference and fraud prevention agencies when you open your account and periodically to:

  1. a) manage and take decisions about your accounts, including assessing your creditworthiness and checks to avoid customers becoming over-indebted;
  2. b) prevent criminal activity, fraud and money laundering;
  3. c) check your identity and verify the accuracy of the information you provide to us; and
  4. d) trace debtors and recover debts.

10.2 Penilee Credit Union do not base decisions on automated checks of information from credit reference agencies at present. We may use Fraud prevention agencies and internal records. To help us make decisions on when to give you credit, we do not at use a system called credit scoring to assess your application. Although there is no plans for Penilee Credit  union to undertake credit scoring, in the future to work out your credit score, we may look at information you give us when you apply; information from credit reference agencies that will show us whether you’ve kept up to date with payments on any credit accounts (that could be any mortgages, loans, credit cards or overdrafts), or if you’ve had any court action such as judgments or bankruptcy; your history with us such as maximum level of borrowing; and affordability, by looking at your available net income and existing debts. You have rights in relation to automated decision-making, including a right to appeal if your application is refused.

10.3 We may in future decide to share information with credit reference agencies about how you manage your account including your account balance, payments into your account, the regularity of payments being made, credit limits and any arrears or default in making payments, while you have a relationship with us. This information will be made available to other organisations (including fraud prevention agencies and other financial institutions) so that they can take decisions about you, your associates and members of your household.

10.4 If false or inaccurate information is provided and/or fraud is identified or suspected, details will be passed to fraud prevention agencies. Law enforcement agencies and other organisations may access and use this information.

10.5 If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you.

10.6 A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

10.7 When credit reference and fraud prevention agencies process your information, they do so on the basis that they have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect their business and to comply with laws that apply to them.

10.8 If you would like a copy of your information held by the credit reference and fraud prevention agencies we may use, or if you want further details of how your information will be used by credit reference agencies, please visit their websites or contact them using the details below. The agencies may charge a fee.

Credit reference agency Contact details
Callcredit Limited

(callcredit.co.uk/crain)

Post: Callcredit Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP.

Website: callcredit.co.uk/consumer-solutions/contact-us

Email: consumer@callcreditgroup.com

Phone: 0330 024 7574

Equifax Limited (equifax.co.uk/crain) Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester LE3 4FS.

Website: equifax.co.uk/Contact-us/Contact_Us_Personal _Solutions.html

Email: equifax.co.uk/ask

Phone: 0333 321 4043 or 0800 014 2955

Experian Limited (experian.co.uk/crain) Post: Experian, PO BOX 9000, Nottingham, NG80 7WF.

Website: experian.co.uk/consumer/contact-us/index.html

Email: consumer.helpservice@uk.experian.com Phone: 0344 481 0800 or 0800 013 8888

 

11 How long we keep your information

11.1 By providing you with products or services, we create records that contain your information, such as customer account records, statement of accounts, next of kin and lending and credit account records. Records can be held on a variety of media (physical or electronic) and formats.

11.2 We manage our records to help us to serve our members well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.

11.3 Retention periods for records are determined based on the type of record, the nature of the activity, product or service. We normally keep member account records for up to six years after your relationship with Penilee ends, whilst other records are retained for shorter periods, for example 90 days for CCTV records or 12 months for call recordings. Retention periods may be changed from time to time based on business or legal and regulatory requirements.

11.4 We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the Credit Union will be able to produce records as evidence, if they’re needed.

11.5 If you would like more information about how long we keep your information, please contact us at 0141 891 8600.

 

12 Security

We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. For more information about the steps we are taking to protect your information please visit www.penileecu.co.uk, stop by the shop or phone 0141 891 8600.

Schedule A – Schedule of Purposes of Processing

We will only use and share your information where it is necessary for us to carry out our lawful business activities. Your information may be shared with and processed by other credit unions we want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table below:

A Contractual necessity

We may process your information where it is necessary to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:

  1. assess and process applications for products or services;
  2. provide and administer those products and services throughout your relationship with Penilee, including opening, setting up or closing your accounts or products; collecting and issuing all necessary documentation; executing your instructions; processing transactions, including transferring money between accounts; making payments to third parties; resolving any queries or discrepancies and administering any changes. Calls to our service centre and communications to our mobile and online helplines may be recorded and monitored for these purposes;
  3. manage and maintain our relationships with you and for ongoing customer service. This may involve sharing your information with other credit unions or third parties to improve the availability of our services, for example enabling customers to visit shop, satalite, or website of Penilee Credit Union;
  4. administer any credit facilities or debts, including agreeing repayment options; and
  5. communicate with you about your account(s) or the products and services you receive from us.

 

 

B Legal obligation

 

When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:

  1. confirm your identity, including using biometric information and voice-recognition technology and other identification procedures, for example fingerprint verification;
  2. perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
  3. assess affordability and suitability of credit for initial credit applications and throughout the duration of the relationship, including analysing customer credit data for regulatory reporting;
  4. share data with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
  5. share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
  6. deliver mandatory communications to customers or communicating updates to product and service terms and conditions;
  7. investigate and resolve complaints;
  8. conduct investigations into breaches of conduct and corporate policies by our employees;
  9. manage contentious regulatory matters, investigations and litigation;
  10. perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
  11. provide assurance that the bank has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
  12. investigate and report on incidents or emergencies on the bank’s properties and premises;
  13. coordinate responses to business-disrupting incidents and to ensure facilities, systems and people are available to continue providing services; and
  14. monitor dealings to prevent market abuse.

 

C Legitimate interests of the Credit Union

We may process your information where it is in our legitimate interests do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.

  1. We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:

 

  • monitor, maintain and improve internal business processes, information and data, technology and communications solutions and services;
  • ensure business continuity and disaster recovery and responding to information technology and business incidents and emergencies;
  • ensure network and information security, including monitoring authorised users’ access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime and protection of your personal data;
  • provide assurance on the union’s material risks and reporting to internal management and supervisory authorities on whether the union is managing them effectively;
  • perform general, financial and regulatory accounting and reporting;
  • protect our legal rights and interests;
  • manage and monitor our properties and branches (for example through CCTV) for the purpose of crime prevention and prosecution of offenders, for identifying accidents and incidents and emergency situations and for internal training; and
  • enable a sale, reorganisation, transfer or other transaction relating to our business.

 

  1. It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually develop and improve as an organisation. This may require processing your information to enable us to:
  • identify new business opportunities and to develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
  • send you relevant marketing information (including details of other products or services provided by us or other credit union which we believe may be of interest to you);
  • understand our customers’ actions, behaviour, preferences, expectations, feedback and financial history in order to improve our products and services, develop new products and services, and to improve the relevance of offers of products and services by Penilee Credit Union;
  • monitor the performance and effectiveness of products and services;
  • assess the quality of our customer services and to provide staff training. Calls to our service centres and communications to our mobile and online helplines may be recorded and monitored for these purposes;
  • perform analysis on customer complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
  • compensate customers for loss, inconvenience or distress as a result of services, process or regulatory failures;
  • identify our customers’ use of third-party products and services in order to facilitate the uses of customer information detailed above; and
  • combine your information with third-party data, such as economic data in order to understand customers’ needs better and improve our services.

We may perform data analysis, data matching and profiling to support decision-making with regards to the activities mentioned above. It may also involve sharing information with third parties who provide a service to us.

  1. It is in our interest as a business to manage our risk and to determine what products and services we can offer and the terms of those products and services. It is also in our interest to protect our business by preventing financial crime. This may include processing your information to:
  • carry out financial, credit and insurance risk assessments;
  • manage and take decisions about your accounts;
  • carry out checks (in addition to statutory requirements) on customers and potential customers, business partners and associated persons, including performing adverse media checks, screening against external databases and sanctions lists and establishing connections to politically exposed persons;
  • ) share data with credit reference, fraud prevention agencies and law enforcement agencies;
  • trace debtors and recovering outstanding debt;
  • for risk reporting and risk management.

Application decisions may in future be taken based on solely automated checks of information from credit reference agencies and internal records held within Penilee Credit Union. For more information on how we access and use information from credit reference and fraud prevention agencies see Section 11 – Credit reference and fraud prevention agencies in this document.