Privacy Notice

Cardiff & Vale Credit Union Privacy Notice

We are committed to protecting our members’ privacy and respecting their Data Protection rights. This Privacy Notice explains how we collect, use, store, share and protect your Personal Information in a way which complies with UK Data Protection laws (including the General Data Protection Regulation (GDPR) and Data Protection Act 2018). For the purposes of this statement, reference to members includes existing members, junior savers and anyone who makes an application to Cardiff & Vale Credit Union.

1. About Us

Cardiff & Vale Credit Union is a mutual organisation that exists for the benefit of our members who save and borrow with us. We offer safe savings accounts and affordable loans to anyone living in Cardiff or the Vale of Glamorgan or working anywhere in Wales. With over 8,000 members and around 100 new joiners each month, we have instigated a local revolution for ethical savings and affordable loans to people from all walks of life. Cardiff & Vale Credit Union is registered as a Data Controller with the Information Commissioner’s Office (ICO), the UK regulator responsible for Data Protection.

2. How to Contact Us

If you want more information about our Privacy Notice or about the way that we handle your Personal Information, or would like to exercise any of your Data Subject rights (see below for more information), please contact us at (029) 29 872373 or ccu@cardiffcu.com.

You can also contact the ICO via https://ico.org.uk/ or by phone on 0303 123 1113 for information, advice or to make a complaint.

3. Our Lawful Basis for Processing your Personal Information

We only process your Personal Information if we: have a lawful basis to do so; the processing is necessary, reasonable and proportionate; and in accordance with the way in which we describe in this Privacy Notice.

  • Legal obligations and performing our contract with you: The majority of the processing we carry out at Cardiff & Vale Credit Union in relation to your Personal Information is necessary for the performance of our legal obligations as a credit union or to enable us to perform our contract with you.
  • Legitimate interests: Where our processing is not necessary for compliance with a legal obligation or to perform our contract with you, we rely on our legitimate interests to run the credit union efficiently and improve our services to you. When relying on legitimate interests we check that our legitimate interests are not overridden by your rights, and process your Personal Information in a way that we think you would reasonably expect (ie. as set out in this Privacy Notice).
  • Consent: In limited circumstances we require consent from you to process your Personal Information – in particular if you are a new member, we will ask for your consent to send you marketing materials such as our newsletter and annual member survey. When we do this we will ensure that we get your explicit consent, and tell you how you can withdraw it if you change your mind. As we explain in more detail below, we rely on the “soft opt-in” exemption in relation to sending marketing materials to current members, but also tell them how they can opt-out if they wish.

 4. The Personal Information We Collect About You and What We Use it For

We may collect Personal Information from you in the following ways:

  • When you make an application to us;
  • When setting up (or amending) your membership account with us;
  • When you contact us by letter, email, secure messaging or telephone
  • If you contact us on social media
  • If you visit and access our website www.cardiffcu.com
  • If you visit our offices
  • If you make a complaint to us.

The Personal Information we may collect from you includes:

  • Name, address, email address, landline number and mobile number;
  • Date of birth;
  • National insurance number
  • Bank account details ;
  • Debit and/or credit card information if you want to pay by card;
  • Income, expenditure and other affordability information (including benefits information) when applying for a loan
  • Any medical/health information you provide to us in your communications with us
  • Co-occupant/family member details/children details
  • Nominee details you have nominated a third party to speak to us about your account
  • Other information relevant to our debt recovery processes (eg. your payment history)
  • Beneficiary details (the person you nominate to inherit your savings deposited with us)
  • Household members
  • Occupation status and landlord details if applicable
  • Income and expenditure sources and values
  • Contact details
  • Employment details
  • Identification and verification details which can include passport or driving licence details (a full list of acceptable documents can be found on our application forms).

We use the Personal Information we collect from you for the following purposes:

  • In fulfilling our legal obligations as a credit union:

To confirm your identity:

  • To perform activity for the prevention of financial crime;
  • To carry out internal and external auditing;
  • To record basic information about you on our Register of Members;
  • To comply with industry-related standards, codes of practice and our general legal requirements. This will include if you have an accident on our premises and we are required to report it in accordance with health and safety laws.

In performing our contract with you:

  • To administer with your account(s), collect payments, recover outstanding amounts due to us and to inform our debt recovery processes. This may involve consulting your records held at credit reference agencies (see below for further information) in relation to new accounts, settled accounts and any debts not fully repaid on time.
  • To consider any applications made by you;
  • To carry out credit checks and to obtain and provide credit references;
  • To send you statements, our current and updated terms and conditions, information about changes to the way your account(s) operate and notification of our Annual General Meeting.
  • In exercising our legitimate interests:
  • To undertake statistical analysis, to help evaluate the future needs of our members and
    to help manage our business;
  • For training or system testing purposes;
  • To look at your relationship with you to contact you to invite you to participate in surveys.
  • With your consent:
  • For new members, in relation to sending you marketing and market research messages such as our newsletter and annual member survey.
  • For current members, we rely on the “soft-opt in” exception on the basis that:
  • We have obtained your contact details in the course of a sale (or negotiations for a sale) of a product or service to you;
  • We are only marketing our own similar products or services: and
  • We have previously provided you with the opportunity to refuse or opt-out of the marketing when we first collected your details and in every message since then.

If you change your mind at any time about being contacted by us in this way you can let us know by calling us on (029) 20872373, emailing us on ccu@cardiffcu.com with the title Marketing or write to us at 4 Working Street, Cardiff, CF10 1GN to let us know.

5. Sharing your Personal Information

We will disclose information outside of the credit union only:

to third parties to help us confirm your identity, in compliance with money laundering legislation;

  • to credit reference agencies and debt recovery agents who may check the information against other databases – private and public – to which they have access to;
  • to any authorities if compelled to do so by law (e.g. to HM Revenue & Customs to fulfil tax compliance obligations)
  • to fraud prevention agencies and government departments to help prevent crime or where we suspect fraud;
  • to any persons, including, but not limited to, insurers, who provide a service or benefits to you or for us in connection with your account(s);
  • to our suppliers in order for them to provide services to us and/or to you on our behalf
  • to anyone in connection with a reorganisation or merger of the credit union’s business
  • to third parties acting as our marketing agents in relation to our marketing activities;
  • to our auditors to enable them to undertake statutory audits of our annual accounts

Where appropriate with law enforcement agencies, including the police and local authorities, to help prevent, detect and prosecute crime, or where we consider it appropriate to do so to protect the Credit Union, our employees and our members to third parties when making referrals of support to you (with your consent) such as money or debt advisors.

6. Where We Store Your Personal Information and How We Keep it Safe

All member Personal Information is held in our database in the UK, which has controlled access and is subject to strong cyber security measures. All access to our system is strictly controlled. We also operate strict physical security at our offices and our employees receive security and Data Protection awareness training.

Where we transfer information to third parties to enable them to process it on our behalf, we have contractual provisions in place to ensure that they protect your Personal Information.

We do not directly transfer any Personal Information outside of the European Economic Area (EEA) but some of our partners may do so. These countries may not have the same Data Protection laws as the UK and the EEA, and so your Personal Information may not be subject to the same protections. However, in such cases, we will make sure that any transfer of your Personal Information to countries outside of the EEA is subject to appropriate safeguards as if it were being processed inside of the EEA.

7. Retaining your Personal Information

The Credit Union will need to hold your information for various lengths of time depending on what we use your data for. In many cases we will hold this information for a period of time after you have left the Credit Union.

To read our policy for retaining members data please see our Data Retention Policy or contact us at: (029) 29 872373 or ccu@cardiffcu.com

8. Credit Reference Agencies

In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail on the following websites and also in the “Credit Reference Agency Information Notice (CRAIN) available at this link: https://www.experian.co.uk/legal/crain/:

They may retain information for up to 6 years after any credit agreement between us has ended. When we share this information all parties conform to industry standards.

Credit Reference Agencies also share information about people with many financial organisations.

Their records tell us:

  • Whether you have kept up with paying your bills, rent or mortgage, and other debts such as loans, phone and internet contracts;
  • your previous address;
  • information on any business you may own or have owned or directed;
  • whether you are financially linked to another person, for example by having a joint account or shared credit;
  • whether you have changed your name;
  • whether you have been a victim of fraud.

Where you are financially linked to another person their records can provide us with details about that person's credit agreements and financial circumstances.

They also use publicly available information to record information about people, including information from:

  • The Royal Mail Postcode Finder and Address Finder;
  • The Electoral Register;
  • Companies House;
  • The Accountant in Bankruptcy and other UK equivalents;
  • The Insolvency Service and other UK equivalents;
  • County Court Records.

This tells us, among other things:

  • Your age, address and whereabouts;
  • whether you are on the Electoral Register;
  • whether you have been declared bankrupt;
  • whether you are insolvent; and
  • whether there are any County Court Judgements against you.

Credit Reference Agencies may also be Fraud Prevention Agencies.

We use this information to help us make sure we are lending our money responsibly and to help us decide whether a loan is appropriate for you. We cannot do this without:

  • confirming your identity;
  • verifying where you live;
  • making sure what you have told us is accurate and true;
  • checking whether you have overdue debts or other financial commitments; and
  • confirming the number of your credit agreements and the balances outstanding together with your payment history.

We also have a duty to protect the Credit Union and the wider society against loss and crime, so we use and share Credit Reference Agency information:

  • to identify, prevent and track fraud;
  • to combat money laundering and other financial crime; and
  • to help recover payment of unpaid debts.

We use information in this way to fulfil our contract to you, to meet our legal and regulatory responsibilities relating to responsible lending and financial crime, to protect the Credit Union from loss, to pursue our legitimate interests and to prevent crime.

Automated assessment

We may use automated decision making in processing your personal and financial information to make credit decisions.

It is our policy to manually review automated decisions whenever possible. However, you have the right to request a manual review of the accuracy of any decision we make if you are unhappy with it.

The Credit Union uses a company called NestEgg Ltd to process this data on our behalf. NestEgg Ltd provides an automated ‘decision’ to help the Credit Union make it easy for members to apply for loans and savings accounts. NestEgg Ltd is not responsible for making decisions, they do not see your personal information. Their software makes a recommendation to a loans officer.

When you apply for a loan and / or savings account up to five searches may appear on your credit file.  For the purposes of credit scoring, this will typically only affect your credit score as if one credit application were made.

Each of these five ‘footprints’ relate to the different sources of data being used to assess an application; these include the credit report itself and an affordability check. The Credit Union needs to prove the information belongs to you which is when an ID check is required. In cases where an application is made by a new member; the Credit Union will use an ID check and may also run a report to check ownership of any bank account details you may give us. These checks are required by law to prevent money laundering.

Some of these footprints will be in the name of NestEgg Ltd and others in the name of the Credit Union.

Fraud Prevention Agencies

We use your information to carry out checks for the purposes of preventing fraud and money laundering. These checks require us to process and share personal data about you.

The personal data can include information that you have shared with us in making your loan application, other information we have collected or hold about you, or information we receive from third parties such as Credit Reference Agencies.

We will share your:

  • name;
  • address;
  • date of birth;
  • contact details;
  • financial information;
  • employment details;
  • Device identifiers, including IP address; and
  • Any other information that it is in our legitimate interest to share in order to prevent or detect fraud, or that we are legally obliged to provide.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your data in these ways because we have a legitimate interest in preventing fraud and money laundering in order to protect our business and to comply with laws that apply to us.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the loan or any other services you have asked for. We may also stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by fraud prevention agencies and may result in others refusing to provide services, financing or employment to you. If you have any questions about this then please contact us.

9. Your Data Protection Rights

You have certain rights in relation to your Personal Information and can make different types of Data Subject Rights Requests in relation to the Personal Information we hold on you. Each of these rights may not apply in all circumstances, but we will ensure that we deal with any request we receive in a way which safeguards your rights and freedoms, and in compliance with Data Protection laws.

For more information about how your rights apply to your membership of the Credit Union or to make a Data Subject Rights Request you can contact us at ccu@cardiffcu.com or on [029] 20 872373. We will aim to respond to your request within one month or provide an explanation of the reason for our delay.

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

Any individual whose Personal Information we hold can make a Data Subject Rights Request. A third party can make a request on behalf of an individual (eg. a relative or friend), but we need the consent of the relevant individual before we provide any Personal Information to the third party.

  • Right to Access: You have the right to access your Personal Information (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the Personal Information we hold on you (subject to removing any information relating to other individuals you are not entitled to see for Data Protection reasons) and to check that we are lawfully processing it.
  • The Right to Rectification: You have the right to have any inaccurate or incomplete Personal Information we hold on you corrected
  • The Right to Erasure: In some circumstances you have the right to ask us to delete or remove your Personal Information (e.g. where the Personal Information is no longer needed for the purpose it was collected, or the processing is unlawful, or where you have exercised your right to object to the processing and there is no overriding legitimate interest to continue the processing).
  • The Right to Restrict Processing: In some circumstances you have the right to request the restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information (eg. if you want us to establish its accuracy or the reason for processing it).
  • The Right to Object to Processing: You have the right to object to our processing of your Personal Information where we are relying on a legitimate interest for processing. If you make such an objection, we will cease to process the Personal Information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object to our processing of your Personal Information for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your Personal Information for this purpose.
  • The Right to Data Portability: You have the right to request the transfer of your Personal Information to another service provider where we rely on your consent or the performance of your contract with us as our lawful basis for processing your Personal Information.
  • Right to Withdraw Consent: You have the right to withdraw your consent at any time where we rely on your consent as our lawful basis for processing your Personal Information. Your withdrawal of your consent will not affect our processing up to that point.
  • Rights Related to Automated Decision Making: Cardiff & Vale Credit Union does not currently undertake any automated decision making as defined by the Data Protection laws.
  • The Right to Complain to the ICO:If you consider that our processing of your Personal Information does not comply with Data Protection laws, you have a legal right to lodge a complaint with the ICO. You can contact them by: going to their website at: https://ico.org.uk; or phone on 0303 123 1113

10. Changes to our Privacy Notice

We will keep our Privacy Notice updated as our processes and/or the Data Protection laws change Our most up to date version will always be on our website and and ideally you should check it regularly here www.cardiffcu.com for updates.

Savings deposits made with us up to £85,000 are protected by the Financial Services Compensation Scheme (FSCS).