What is the purpose of this document?
North Edinburgh and Castle Credit Union LTD (trading as Castle Community Bank), company number 019CUS and with registered address at 49 Great Junction Street, Edinburgh, EH6 5HX. Castle Community Bank is Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Data Protection Officer is Gordon Buchanan (firstname.lastname@example.org)
Castle Community Bank is a “data controller.” This means that we are responsible for deciding how we hold and use personal information about You. We are required under data protection legislation to notify You of the information contained in this privacy notice. If you have any questions regarding this privacy notice, please contact us at email@example.com
We may update this notice at any time but if we do so, we will provide You with an updated copy of this notice as soon as reasonably practical.
It is important that You read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about You, so that You are aware of how and why we are using such information and what Your rights are under the data protection legislation.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about You must be: Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to You and not used in any way that is incompatible with those purposes.
Relevant to the purposes we have told You about and limited only to those purposes.
Accurate and kept up to date.
Kept only as long as necessary for the purposes we have told You about.
What information we hold and process about you
We need to collect certain types of information to allow us to comply with legal and regulatory requirements relating to our anti-fraud / anti-money laundering / know your customer and responsible lending obligations. If this information is not provided we cannot to provide you with a product or service.
Your personal information may also be processed on reasonable request by a law enforcement or regulatory authority, body or agency or in the conduct or defence of a legal claim. We will not delete personal information if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect the following information about you:
- Information submitted through our website or through our partner websites (including through any application forms which you complete on either our or our partner websites). This may include details such as your name, address, phone numbers, email address, date of birth and employment, banking and financial details;
- Your demographic and lifestyle information;
- Information which we receive from various third parties when making a decision about you, your loan, or application including information collected from Credit Reference Agencies;
- Information from any social network or online account that you share with us.
We collect the following information from you:
- Details of your current loans, or other credit you may have, and/or savings, details of any and all loans, or other credit, and/or savings you have and have had with us and, in each case, all related and associated transactions;
- Photographic proof of your identity;
- Details of any questions you may ask us; and
- If you are an owner, director or partner in a small business, we may also check on your business accounts.
We collect the following information about you:
- Details of how you applied for your loan
- Details about your visits to the website and how you interact with our website. We may also collect this data even if you do not complete or submit your application;
- Information you give us explicit permission to access from your computer/phone such as your IP address, geolocation and data to confirm your identity;
- Details and records of any telephone, email or other communication which we have with you;
- Details of when you contact us and when we contact you; and
- Details, and the results of, any surveys that we have provided to you for research purposes.
Please be aware that:
- if you are submitting a joint application, we will hold and process personal data about your joint applicants. Please refer to section 10 for further information.
- We also collect and hold any other information which we reasonably need to operate your account, make decisions about you or fulfil our regulatory and legal obligations.
How we use your information:
When we ask you for personal information we may use it for the following purposes:
- to process, assess and fulfil your requests and/or applications for loans and/or other services
- to communicate with you about our products and/or services;
- to manage your account with us;
- to make, or assist in making, credit or lending decisions about you, including to assess and process your loan application;
- to process payments and prevent fraudulent transactions (we may pass your details to a third party to carry out these functions);
- to update our records and maintain your account with us;
- to trace your whereabouts;
- to recover any debt you owe us;
- to check any instructions given to us by you;
- to comply with our legal and regulatory requirements;
- to track, analyse and improve the services which we provide to you and other customers; and
for any other specific purpose which we notify you of at the time your personal information is collected.
If you provide us with any debit card or bank account details, either during the loan application or subsequently, we will keep those details and may use the details to take further payments both on your current loan and on any subsequent loans, unless you advise us otherwise.
For fraud prevention
- Search your record with credit reference and fraud prevention agencies to check and verify your identity (and the identity of any other individual named on your application) and collect your Credit Report (and any other individual named on your application). Credit reference agencies will keep a record of our enquiries, which may also be used by other organisations with access granted by the credit reference agencies. This may affect your ability to get credit. Please see section 12 for further details about how your personal data may be used by credit reference and fraud prevention agencies.
- Undertake appropriate checks to prevent or detect crime, money-laundering and or fraud.
We and other organisations may access and use information recorded by fraud prevention agencies from other countries for fraud prevention purposes.
For marketing, communications and advertising
Market and communicate our products and services we think these will be of interest to you. We use data that we collect to deliver and personalise our communications with you.
We may, for example, contact you by email or by other means of electronic communication (including by social media platforms) to inform you about any news, events, new products, or services from Castle Community Bank
You can always unsubscribe from receiving these emails if you want to by emailing us at firstname.lastname@example.org.
For our technical operations:
- to administer the website services, including processing any searches or requests for information about our products or services;
- to monitor, review and improve the content and appearance of our website, to ensure that content from our website is presented in the most effective manner for you;
- to maintain and develop our business systems, including testing and upgrading them;
Legal basis for processing your personal data
The legal basis for processing your special category data is your consent. As we are relying on your consent to process your special category data, you may withdraw your consent at any time by providing notice to us at email@example.com.
However, if you do withdraw your consent, please note that we may be delayed or not able to continue providing you with our products or services (for example, we will not be able to continue assessing your application for a loan).
The legal basis for processing other forms of your personal data is:
- it is necessary for the performance of a contract between you and us (i.e. for us to consider, process and deal with your application and provide you with the requested services).
Your provision of personal data to us is a contractual requirement. If you do not supply your personal data to us, it may delay or prevent us from providing you with our products or services (for example, we will not be able to review and assess your application for one of our products).
- it is necessary for the purposes of the legitimate interests pursued by us (for example, operating and making available the website and providing you with information about our products and services).
Please refer to the full privacy statements in section 12 for further details about how we will or may use your personal data.
Information we share
There are certain circumstances where we may transfer your personal data to employees, contractors and to other parties.
We may share your information with certain contractors or service providers. Our suppliers and service providers will be required to meet our standards on processing information and security. The information we provide to them, including your information, will only be provided in connection with the performance of their function.
We may also share your information with certain third parties. We will do this either when we receive your consent or because we need them to see your information to provide products or services to you. These include credit reference agencies, anti-fraud databases, screening agencies and other partners we do business with.
Your personal information may be transferred to other third-party organisations in certain scenarios:
- our employees who provide and work on the services mentioned at point 2 above.
- firms and businesses that help us provide you with the right product and services. These include our channel partners such as
- price comparison websites such as MoneySupermarket and Confused.com
- brokers such as Norton Finance and Loans Warehouse
- Other partners such as Revolut
- credit Reference agencies such as CallCredit, and fraud prevention agencies such as CIFAS. For the credit reference agencies and fraud prevention agencies, please refer to section 12 for further information about how our credit unions use your data.
- any organisation which supports our business or any of our products that you have applied for e.g. our IT partners such as Gojoko Marketing Ltd, Google, Mambu and Persistent Systems, people who help us access your bank account using Open banking or account aggregation
- governmental, regulatory or other appropriate authorities (including authorities outside of the UK) if we identify or suspect suspicious or criminal activity (for example if we know or suspect that a transaction involves money laundering). We may not be able to inform you that a disclosure has been made or the reasons for it.
- anyone who you give us explicit permission to share your personal data with;
- applicable third parties, if we must disclose your personal data to comply with the law, or to enforce our Terms and Conditions or other agreements; or to protect the rights, property or safety of us, our customers, or others.
- If we are required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example the Police or FCA & PRA.
You have a general right to:
You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. We have listed the rights you have over your information and how you can use them below.
These rights will only apply in certain circumstances. They will generally not be available if there are outstanding contracts between us, if we required by law to keep the information or if the information is relevant to a legal dispute.
- You can remove consent, where you have provided it, at any time.
- You can ask us to confirm if we are processing your information.
- You can ask for access to your information.
- You can ask to correct your information if it is wrong.
- You can ask us to delete your information.
- You can ask us to restrict how we use your information.
- You can ask us to help you move your information to other companies.
- To help with that, you have a right to ask that we provide your information in an easily readable format to another company.
- You can ask us to stop using your personal information, but only in certain cases.
- You have the right to complain to the relevant supervisory authority.
To request any of these rights please contact us by emailing firstname.lastname@example.org. Please note that there may be circumstances under which we do not have to, or cannot comply with, these requests.
You also have the right to complain to the Information Commissioner’s Office about the manner in which we process your personal data.
What we will not do
We won’t share identifiable personal data with third parties for their direct marketing.
How long will you use my information for?
Your personal data will be stored for as long as you are a customer with us. We may keep your personal data for 12 months after you stop being a customer with us, for the following reasons:
- to respond to any query or complain you may have; and/or
- to fulfil our legal record keeping obligations.
We may retain a record of your information (including your credit/debit card information) for a reasonable period of time following this 12 months retention period for administration and fraud prevention purposes.
After this retention period, we’ll then delete your personal data securely and safely.
We are committed to keeping your personal information safe. We have put in place physical, technical and administrative measures to prevent unauthorised access or use of your information.
All of our systems comply with data security regulation.
We may transfer your personal data outside the European Economic Area (“EEA”), namely to India. Your personal data may therefore be processed by staff outside the EEA who work for us or one of our suppliers.
How do credit reference and fraud prevention agencies use your data?
When you apply to us for a loan, we will check the following records about you (and others where applicable):
- our own records;
- information in the public domain for the purpose of identifying any information relevant to your application, including but not limited to information you have made publically available on social media or other websites;
- records held by Credit Reference Agencies (“CRAs”). When CRAs receive a search from us they:
- will carry out a search for the purposes of verifying your identity;
- may check the details you supply against any particulars on any database (public or otherwise) to which they have access in order to verify your identity;
- will retain a record of the search;
- will place a search footprint on your credit file that may be seen by other lenders. CRAs supply both public (including the electoral register) and shared credit and fraud prevention information to us; and
- those at fraud prevention agencies (“FPAs”).
We will make checks, such as assessing your loan application for credit and verifying agencies, to prevent and detect crime and money laundering. We may also make periodic searches at CRAs and FPAs to manage the financing of your loan.
If you are making a joint application on behalf of the directors of your business, we may link your records together so you must be sure that you have their agreement to disclose information about these directors. CRAs also link your records together and these links will remain on your and the directors’ files until such time as you or your partners successfully file for a disassociation with the CRAs to break that link.
Information on applications may be sent to CRAs and will be recorded by them. Where you sign a loan agreement with us, we will give details of your account(s) and how you manage it/them to CRAs. If you do not make your loan repayments in full and on time, CRAs may record the outstanding debt. This information may be supplied to other organisations by CRAs and FPAs to perform similar checks and to trace your whereabouts and recover debts that you owe. Records remain on file for 6 years after they are closed, whether settled by you or defaulted.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail here.
The personal information we have collected from you will be shared with FPAs who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, your could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at https://www.cifas.org.uk/fpn.
We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.
You can contact the CRAs currently operating in the UK. The information they hold may not be the same so it is worth contacting them all. They will charge you a small statutory fee.
Their contact details are:
- TransUnion LLC, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ or call 0870 0601414;
- Equifax PLC, Credit File Advice Centre, PO Box 2001, Bradford, BD1 5US or call 0870 010 0583 or log on to www.myequifax.co.uk; and
- Experian, Consumer Help Service, PO Box 8000, Nottingham, NG80 7WF or call 0844 4818000 or log on to www.experian.co.uk
CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time, and we will provide You with a new privacy notice when we make any substantial updates. We may also notify You in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact:
Castle Community Bank
49 Great Junction Street
0131 466 5006