Privacy Notice

Cardiff & Vale Credit Union Privacy Notice

We are committed to protecting our members’ privacy and respecting their Data Protection rights. This Privacy Notice explains how we collect, use, store, share and protect your Personal Information in a way which complies with UK Data Protection laws (including the General Data Protection Regulation (GDPR) and Data Protection Act 2018). For the purposes of this statement, reference to members includes existing members, junior savers and anyone who makes an application to Cardiff & Vale Credit Union.

 1. About Us

Cardiff & Vale Credit Union is a mutual organisation that exists for the benefit of our members who save and borrow with us. We offer safe savings accounts and affordable loans to anyone living in Cardiff or the Vale of Glamorgan or working anywhere in Wales. With over 8,000 members and around 100 new joiners each month, we have instigated a local revolution for ethical savings and affordable loans to people from all walks of life. Cardiff & Vale Credit Union is registered as a Data Controller with the Information Commissioner’s Office (ICO), the UK regulator responsible for Data Protection.

2. How to Contact Us

If you want more information about our Privacy Notice or about the way that we handle your Personal Information, or would like to exercise any of your Data Subject rights (see below for more information), please contact us at (029) 29 872373 or ccu@cardiffcu.com.

You can also contact the ICO via https://ico.org.uk/ or by phone on 0303 123 1113 for information, advice or to make a complaint.

3. Our Lawful Basis for Processing your Personal Information

We only process your Personal Information if we: have a lawful basis to do so; the processing is necessary, reasonable and proportionate; and in accordance with the way in which we describe in this Privacy Notice. 

• Legal obligations and performing our contract with you: The majority of the processing we carry out at Cardiff & Vale Credit Union in relation to your Personal Information is necessary for the performance of our legal obligations as a credit union or to enable us to perform our contract with you. 

• Legitimate interests: Where ourprocessing is not necessary for compliance with a legal obligation or to perform our contract with you, we rely on our legitimate interests to run the credit union efficiently and improve our services to you. When relying on legitimate interests we check that our legitimate interests are not overridden by your rights, and process your Personal Information in a way that we think you would reasonably expect (ie. as set out in this Privacy Notice). 

• Consent: In limited circumstances we require consent from you to process your Personal Information – in particular if you are a new member, we will ask for your consent to send you marketing materials such as our newsletter and annual member survey. When we do this we will ensure that we get your explicit consent, and tell you how you can withdraw it if you change your mind. As we explain in more detail below, we rely on the “soft opt-in” exemption in relation to sending marketing materials to current members, but also tell them how they can opt-out if they wish.

 4. The Personal Information We Collect About You and What We Use it For

We may collect Personal Information from you in the following ways: 

• When you make an application to us;
• When setting up (or amending) your membership account with us;
• When you contact us by letter, email, secure messaging or telephone
• If you contact us on social media
• If you visit and access our website www.cardiffcu.com
• If you visit our offices
• If you make a complaint to us. 

The Personal Information we may collect from you includes: 

• Name, address, email address, landline number and mobile number;
• Date of birth;
• National insurance number
• Bank account details ;
• Debit and/or credit card information if you want to pay by card;
• Income, expenditure and other affordability information (including benefits information) when applying for a loan
• Any medical/health information you provide to us in your communications with us
• Co-occupant/family member details/children details
• Nominee details you have nominated a third party to speak to us about your account
• Other information relevant to our debt recovery processes (eg. your payment history)
• Beneficiary details (the person you nominate to inherit your savings deposited with us)
• Household members
• Occupation status and landlord details if applicable
• Income and expenditure sources and values
• Contact details
• Employment details
• Identification and verification details which can include passport or driving licence details (a full list of acceptable documents can be found on our application forms). 

We use the Personal Information we collect from you for the following purposes: 

• In fulfilling our legal obligations as a credit union:

To confirm your identity:

o  To perform activity for the prevention of financial crime;
o  To carry out internal and external auditing;
o  To record basic information about you on our Register of Members;
o To comply with industry-related standards, codes of practice and our general legal requirements. This will include if you have an accident on our premises and we are required to report it in accordance with health and safety laws.

In performing our contract with you:

o To administer with your account(s), collect payments, recover outstanding amounts due to us and to inform our debt recovery processes. This may involve consulting your records held at credit reference agencies (see below for further information) in relation to new accounts, settled accounts and any debts not fully repaid on time.
oTo consider any applications made by you;
o To carry out credit checks and to obtain and provide credit references;
oTo send you statements, our current and updated terms and conditions, information about changes to the way your account(s) operate and notification of our Annual General Meeting. 

• In exercising our legitimate interests:

o   To undertake statistical analysis, to help evaluate the future needs of our members and
to help manage our business;
o   For training or system testing purposes;
o   To look at your relationship with you to contact you to invite you to participate in surveys. 

• With your consent:

o   For new members, in relation to sending you marketing and market research messages such as our newsletter and annual member survey.
o   For current members, we rely on the “soft-opt in” exception on the basis that:

• We have obtained your contact details in the course of a sale (or negotiations for a sale) of a product or service to you;
• We are only marketing our own similar products or services: and
• We have previously provided you with the opportunity to refuse or opt-out of the marketing when we first collected your details and in every message since then. 

If you change your mind at any time about being contacted by us in this wayyou can let us know by calling us on (029) 20872373, emailing us on ccu@cardiffcu.com with the title Marketing or write to us at 4 Working Street, Cardiff, CF10 1GN to let us know.

5. Sharing your Personal Information

We will disclose information outside of the credit union only:

 to third parties to help us confirm your identity, in compliance with money laundering legislation;

• to credit reference agencies and debt recovery agents who may check the information against other databases – private and public – to which they have access to;
• to any authorities if compelled to do so by law (e.g. to HM Revenue & Customs to fulfil tax compliance obligations)
• to fraud prevention agencies and government departments to help prevent crime or where we suspect fraud;
• to any persons, including, but not limited to, insurers, who provide a service or benefits to you or for us in connection with your account(s);
• to our suppliers in order for them to provide services to us and/or to you on our behalf
• to anyone in connection with a reorganisation or merger of the credit union’s business
• to third parties acting as our marketing agents in relation to our marketing activities;
• to our auditors to enable them to undertake statutory audits of our annual accounts

Where appropriate with law enforcement agencies, including the police and local authorities, to help prevent, detect and prosecute crime, or where we consider it appropriate to do so to protect the Credit Union, our employees and our members to third parties when making referrals of support to you (with your consent) such as money or debt advisors.

 6. Where We Store Your Personal Information and How We Keep it Safe

All member Personal Information is held in our Curtains database in the UK, which has controlled access and is subject to strong cyber security measures. All access to our system is strictly controlled. We also operate strict physical security at our offices and our employees receive security and Data Protection awareness training.

Where we transfer information to third parties to enable them to process it on our behalf, we have contractual provisions in place to ensure that they protect your Personal Information.

We do not directly transfer any Personal Information outside of the European Economic Area (EEA) but some of our partners may do so. These countries may noy have the same Data Protection laws as the UK and the EEA, and so your Personal Information may not be subject to the same protections. However, in such cases, we will make sure that any transfer of your Personal Information to countries outside of the EEA is subject to appropriate safeguards as if it were being processed inside of the EEA.

7. Retaining your Personal Information

The Credit Union will need to hold your information for various lengths of time depending on what we use your data for. In many cases we will hold this information for a period of time after you have left the Credit Union.

To read our policy for retaining members data please see our Data Retention Policy or contact us at: (029) 29 872373 or ccu@cardiffcu.com

 8. Credit Reference Agencies

In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail on the following websites and also in the “Credit Reference Agency Information Notice (CRAIN) available at this link: https://www.experian.co.uk/legal/crain/: 

• Our website at www.cardiffcu.com
• CallCredit at www.callcredit.co.uk/crain
• Equifax at www.equifax.co.uk/crain
• Experian at www.experian.co.uk/crain
• Transunion at https://www.transunion.co.uk

9. Your Data Protection Rights

You have certain rights in relation to your Personal Information and can make different types of Data Subject Rights Requests in relation to the Personal Information we hold on you. Each of these rights may not apply in all circumstances, but we will ensure that we deal with any request we receive in a way which safeguards your rights and freedoms, and in compliance with Data Protection laws.

For more information about how your rights apply to your membership of the Credit Union or to make a Data Subject Rights Request you can contact us at ccu@cardiffcu.com or on [029] 20 872373. We will aim to respond to your request within one month or provide an explanation of the reason for our delay.

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

Any individual whose Personal Information we hold can make a Data Subject Rights Request. A third party can make a request on behalf of an individual (eg. a relative or friend), but we need the consent of the relevant individual before we provide any Personal Information to the third party. 

• Right to Access: You have the right to access your Personal Information (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the Personal Information we hold on you (subject to removing any information relating to other individuals you are not entitled to see for Data Protection reasons) and to check that we are lawfully processing it.
• The Right to Rectification: You have the right to have any inaccurate or incomplete Personal Information we hold on you corrected
• The Right to Erasure: In some circumstances you have the right to ask us to delete or remove your Personal Information (e.g. where the Personal Information is no longer needed for the purpose it was collected, or the processing is unlawful, or where you have exercised your right to object to the processing and there is no overriding legitimate interest to continue the processing).
• The Right to Restrict Processing: In some circumstances you have the right to request the restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information (eg. if you want us to establish its accuracy or the reason for processing it).
• The Right to Object to Processing: You have the right to object to our processing of your Personal Information where we are relying on a legitimate interest for processing. If you make such an objection, we will cease to process the Personal Information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object to our processing of your Personal Information for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your Personal Information for this purpose.
• The Right to Data Portability: You have the right to request the transfer of your Personal Information to another service provider where we rely on your consent or the performance of your contract with us as our lawful basis for processing your Personal Information.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time where we rely on your consent as our lawful basis for processing your Personal Information. Your withdrawal of your consent will not affect our processing up to that point.
• Rights Related to Automated Decision Making: Cardiff & Vale Credit Union does not currently undertake any automated decision making as defined by the Data Protection laws.
• The Right to Complain to the ICO:If you consider that our processing of your Personal Information does not comply with Data Protection laws, you have a legal right to lodge a complaint with the ICO. You can contact them by:going to their website at: https://ico.org.uk; or phone on 0303 123 1113

  10. Changes to our Privacy Notice

We will keep our Privacy Notice updated as our processes and/or the Data Protection laws change Our most up to date version will always be on our website and and ideally you should check it regularly here www.cardiffcu.com for updates. 

 Savings deposits made with us up to £85,000 are protected by the Financial Services Compensation Scheme (FSCS).