Privacy Notice, v7.0

Privacy Notice

How Glasgow Credit Union

uses your personal information

Contents

Who we are

The information we process

How we obtain information

Your rights

Table A – Your Rights

Failure to provide personal information

Sharing with third parties

Transferring information overseas

Marketing Information

Communications about your account

Credit reference and fraud prevention agencies

How long we keep your information

Security

Complaining to the Supervisory Authority

Schedule A – Schedule of Purposes of

Processing

Contractual necessity

Legal obligation

Legitimate interests of the credit union

Explicit Consent

Privacy Notice, v7.0

Who we are

Glasgow Credit Union is a “data controller” in respect of personal information we process in connection

with our business (including the products and services that we provide). In this notice, references to “we”,

“us” or “our” are references to Glasgow Credit Union. We are registered as a data controller with the

Information Commissioner’s Office (ICO), the supervisory authority for data protection within the United

Kingdom. Our registration number is Z6604434.

This privacy notice (the “Privacy Notice”) will apply to all personal information processing activities

carried out by Glasgow Credit Union.

If you have any data protection issues or queries, please direct these to:

Data Protection Officer, Glasgow Credit Union, 95 Morrison Street, Glasgow, G5 8BE. Telephone 0141

274 5405 or email:

compliance@glasgowcu.com.

We respect individuals’ rights to privacy and to the protection of personal information. The purpose of

this Privacy Notice is to explain how we collect and use personal information in connection with our

business. “Personal information” means information about a living individual who can be identified from

that information (either by itself or when it is combined with other information). We may update this

Privacy Notice from time to time. When we do, we will publish the updated Privacy Notice on our website.

If we make any significant changes, we will bring this to your attention via a bold notification on our

website and/or by sending a copy to you to either an e-mail or home address registered with us.

The information we process

We collect and process various categories of personal information at the start of, during our and, even

after, your relationship with us. We will limit the collection and processing of information to only what is

necessary to achieve one or more purposes as identified in this notice. Personal information may include:

basic personal information, including name and address, date of birth and contact details;

financial information, including account and transactional information and history;

information about your family, lifestyle and social circumstances (such as dependents, marital

status, next of kin and contact details);

information about your financial circumstances, including proof of income and expenditure, credit

and borrowing history and needs and goals;

education and employment information;

goods and services provided;

visual images (such as copies of passports or CCTV images);

audio/video recordings of meetings of members for the explicit purpose of ensuring accuracy;

and

online profile and social media information and activity, based on your interaction with us and

our websites and applications, including for example, your credit union profile and login

information, Internet Protocol (IP) address, website visits etc.

We may also process some special category personal data for specific and limited purposes, such as

detecting and preventing financial crime or to make our services accessible to customers.

We will only process special categories of information where we’ve obtained your explicit consent or are

otherwise lawfully permitted to do so (and then only for the particular purposes and activities set out at

Schedule A for which the information is provided). This may include:

•

physical or psychological health details or medical conditions;

Where permitted by law, we may process information about criminal convictions or offences and alleged

offences for specific and limited activities and purposes, such as to perform checks to prevent and detect

crime or to comply with laws relating to money laundering, fraud, terrorist financing, bribery, corruption

and international sanctions. It may involve investigating and gathering intelligence on suspected financial

crimes, fraud, threats and sharing data between banks or with law enforcement and regulatory bodies.

Privacy Notice, v7.0

3. How we obtain information

Your information is made up of all the financial and personal information we collect and hold about you

and your transactions. It includes:

information you give to us;

information that we receive from third parties who provide services to you or us, such as credit

reference agencies, Open Banking providers, insurers, police, fraud prevention or government

agencies,

information that we learn about you through our relationship with you and the way you operate

your accounts and/or services, such as the payments made to and from your accounts;

information that we gather from the technology which you use to access our services such as:

an IP address;

ii.

telephone number;

iii.

cookies;

iv.

website log in information

Your rights

We want to make sure you are aware of your rights in relation to the personal information we process

about you. We have described those rights and the circumstances in which they apply in the table below.

If you wish to exercise any of these rights, if you have any queries about how we use your personal

information that are not answered here, or if you wish to complain please refer to the contact details set

out in Section 1 above.

Table A – Your Rights

Rights Description

Access

– You have a right to get

access to the personal information we

hold about you.

If you would like a copy of the personal information we hold

about you, please refer to the contact details set out in

Section

above.

Rectification

– You have a right to

rectification of inaccurate personal

information and to update incomplete

personal information.

If you believe that any of the information that we hold about you

is inaccurate, you have a right to request that we rectify the

inaccurate personal information.

Erasure –

you have a right to

request that we delete your

personal information, in certain

circumstances,

You may request that we delete your personal information if you

believe that:

we no longer need to process your information for the purposes

for which it was provided;

we have requested your permission to process your personal

information and you wish to withdraw your consent;

we are not using your information in a lawful manner or;

where we are required to erase your personal information to

comply with local law.

Note:

We may not always be able to comply with your request

of erasure for specific legal reasons which will be notified to you,

if applicable, at the time of your request.

Privacy Notice, v7.0

Restriction –

You have a right to

request us to restrict the processing of

your personal information, in certain

situations

You may request us to restrict processing your personal

information if you believe that:

any of the information that we hold about you is inaccurate;

we no longer need to process your information for the purposes

for which it was provided, but you require the information to

establish, exercise or defend legal claims; or we are not using

your information in a lawful manner.

You have objected to our use of your data, but we need to verify

whether we have overriding legitimate grounds to use it.

Portability –

You have a right to data

portability, in certain circumstances

Where we have requested your permission to process your

personal information or you have provided us with information

for the purposes of entering into a contract with us, you have a

right to receive the personal information you provided to us in a

portable format.

You may also request us to provide it directly to a third party, if

technically feasible. We’re not responsible for any such third

party’s use of your account information, which will be governed

by their agreement with you and any privacy statement they

provide to you.

If you would like to request the personal information you

provided to us in a portable format, please refer to the contact

details set out in Section 1 above.

Note that this right only applies to your personal

information which you initially provided to us, which is processed

based on your consent or based on the

performance of a contract between us and which is

processed by us using automated means.

Objection – You have a right to

object to the processing of your

personal information.

You have a right to object to us processing your personal

information (and to request us to restrict processing) for the

purposes described in Section C of Schedule A – Purposes of

Processing (below), unless we can demonstrate compelling and

legitimate grounds for the processing, which may override your

own interests or where we need to process your information to

investigate and protect us or others from legal claims.

Depending on the circumstances, we may need to restrict or

cease processing your personal information altogether, or,

where requested, delete your information.

Marketing – You have a right to

object to direct marketing.

You have a right to object at any time to processing of your

personal information for direct marketing purposes, including

profiling you for the purposes of direct marketing. For more

information see Section 8.

Privacy Notice, v7.0

5. Failure to provide personal information

Where we need to collect personal information by law, or under the terms of a contract we have with

you and you fail to provide that data, we may not be able to perform, or even enter, the contract (for

example, to provide you with financing or other services). In this case, we may have to cancel such

financing or services you have with us, but we will notify you if this is the case at the time.

6. Sharing with third parties

We will not share your information with anyone outside Glasgow Credit Union except:

where we have your permission;

where required for your product or service;

where you have subscribed to the “Big G Lottery”;

where we are required by law and by law enforcement agencies, judicial bodies, government

entities, tax authorities or regulatory bodies around the world;

with other banks and third parties where required by law to help recover funds that have entered

your account as a result of a misdirected payment by such a third party;

with third parties providing services to us, such as market analysis and benchmarking,

correspondent banking, specialist IT services, and agents and sub-contractors acting on our behalf,

such as the companies which print our account statements;

with other banks to help trace funds where you are a victim of suspected financial crime and you

have agreed for us to do so, or where we suspect funds have entered your account as a result of

a financial crime;

with debt collection agencies;

with credit reference and fraud prevention agencies;

with Open Banking providers that we use for account information service, for the purpose of

inviting you to use this service and share third party account information with us. (This is currently

Experian and further information can be found at understanding-credit-information.pdf

(experian.co.uk));

with third-party guarantors or other companies that provide you with benefits or services (such as

insurance cover) associated with your product or service;

where required for a proposed sale, reorganisation, transfer, financial arrangement, asset

disposal or other transaction relating to our business and/or assets held by our business;

in anonymised form as part of statistics or other aggregated data shared with third parties; or

where permitted by law, it is necessary for our legitimate interests or those of a third party, and it

is not inconsistent with the purposes listed above.

f you ask us to, we will share information with any third party that provides you with account information

or payment services.

If you ask a third-party provider to provide you with account information or payment services, you are

Rights Description

Withdraw consent – You have a

right to withdraw your consent.

Where we rely on your consent to process your personal

information, you have a right to withdraw your consent at any

time. We will always make it clear where we need your

consent to undertake specific processing activities.

Lodge complaints – You have

a right to lodge a complaint with the

Supervisory Authority in the UK, The

Information Commissioner’s Office

(ICO)

If you wish to raise a complaint on how we have handled your

personal information, you can contact our Data Protection

Officer who will investigate the matter. We hope that we can

address any concerns you may have, but you can always

contact the ICO if you’re unhappy or dissatisfied. Visit

ico.org.uk

Privacy Notice, v7.0

allowing that third party to access information relating to your account.

We will not be responsible for any third party use of your account information, which will be governed

by their agreement with you and any privacy statement they provide to you.

In the event that any additional authorised users are added to your account, we may share information

about the use of the account by any authorised user with all other authorised users.

Glasgow Credit Union will not share your information with third parties for their own marketing purposes

without your permission.

Transferring information overseas

We may transfer your information to organisations in other countries on the basis that anyone to whom

we pass it protects it in the same way as we do, or, in accordance with applicable laws.

In the event that we transfer information to countries outside of the European Economic Area (which

includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do

so where:

we have your explicit consent;

the European Commission has decided that the country or the organisation we are sharing your

information with will protect your information adequately;

the transfer has been authorised by

the relevant data protection authority; and/or

we have entered into a contract with the organisation with which we are sharing your information

(on terms approved by the European Commission) to ensure your information is adequately

protected. If you wish to obtain a copy of the relevant data protection clauses, please refer to the

contact details set out in Section 1 above.

8. Marketing information

Where you have provided consent for us to do so, we will process your personal information in order to send

you information about products and services which may be of interest to you by phone, email, text and other

forms of electronic communication.

We may also send you information as above where we have a legitimate interest in doing so and where you

have not objected to us doing so. In this situation, any information will be in respect of your similar products

and services only.

If you change your mind about how you would like us to contact you or you no longer wish to receive this

information, you can tell us at any time by contacting us on 0141 274 5423 or by email to

marketing@glasgowcu.com

Communications about your account

We will contact you with information relevant to the operation and maintenance of your account

(including updated information about how we process your personal information), by a variety of

means including via our website, mobile app, email, text message, post and/or telephone. If at any

point in the future you change your contact details, you should tell us promptly about those changes, in

order that we can ensure your account details remain accurate.

We may monitor or record calls, emails, text messages or other communications in accordance with

applicable laws for the purposes outlined in Schedule A – Purposes of Processing.

10.

Credit reference and fraud prevention agencies

We may access and use information from credit reference and fraud prevention agencies when you

open your account and periodically to:

manage and take decisions about your accounts, including assessing your

creditworthiness and checks to avoid customers becoming over-indebted;

Privacy Notice, v7.0

prevent criminal activity, fraud and money laundering;

check your identity and verify the accuracy of the information you provide to us; and

trace debtors and recover debts.

Application decisions may be taken based solely on automated checks of information from credit

reference and fraud prevention agencies and internal credit union records. To help us make decisions

whether or not to give you credit, we use a system called credit scoring to assess your application. To

work out your credit score, we look at information you give us when you apply; information from credit

reference agencies that will show us whether you’ve kept up to date with payments on any credit accounts

(that could be any mortgages, loans, credit cards or overdrafts), or if you’ve had any court action such

as judgments or bankruptcy; your history with us such as maximum level of borrowing; and affordability,

by looking at your available net income, existing debts and if you have shared via Open Banking your

bank account transactions. You have rights in relation to automated decision-making, including a right to

appeal if your application is refused.

We will continue to share information with credit reference agencies about how you manage your

account including your account balance, payments into your account, the regularity of payments being

made, credit limits and any arrears or default in making payments, while you have a relationship with

us. This information will be made available to other organisations (including fraud prevention agencies

and other financial institutions) so that they can take decisions about you, your associates and members

of your household.

If false or inaccurate information is provided and/or fraud is identified or suspected, details will be

passed to fraud prevention agencies. Law enforcement agencies and other organisations may access

and use this information.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may

refuse to provide the services and financing you have requested, or we may stop providing existing

services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and

may result in others refusing to provide services, financing or employment to you. Fraud prevention

agencies can hold your information for different periods of time, and if you are considered to pose a

fraud or money laundering risk, your data can be held for up to six years.

When credit reference and fraud prevention agencies process your information, they do so on the basis

that they have a legitimate interest in preventing fraud and money laundering, and to verify identity, in

order to protect their business and to comply with laws that apply to them.

If you would like a copy of your information held by the credit reference and fraud prevention agencies

we use, or if you want further details of how your information will be used by credit reference agencies,

please visit their websites or contact them using the details below.

The four main credit reference agencies are TransUnion , Equifax, Experian and Crediva. Each use and

share personal information they receive about you that is part of, derived from or used in credit activity

and this is explained in more detail in the Credit Reference Agency Information Notice available at any

of the following:

Credit reference

agency

Contact details

TransUnion Limited

(transunion.co.uk/crain)

Post:

TransUnion Information Group, One Park Lane, Leeds, West

Yorkshire LS3 1EP.

Website:

www.transunion.co.uk/crain

Email:

consumer@transunion.co.uk

Phone:

0330 024 7574

Privacy Notice, v7.0

Equifax Limited

(equifax.co.uk/crain)

Post:

Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester

LE3 4FS.

Website:

www.equifax.co.uk/crain

Email:

equifax.co.uk/ask

Phone:

0333 321 4043 or 0800 014 2955

Experian Limited

Post:

Experian, PO BOX 9000, Nottingham, NG80 7WF.

(experian.co.uk/crain)

Website:

www.experian.co.uk/crain

Email:

consumer.helpservice@uk.experian.com

Phone:

0344 481 0800 or 0800 013 8888

Crediva Limited

Post:

Crediva Limited, LexisNexis Risk Solutions, Global Reach,

Dunleavy Drive, Cardiff, CF11 0SN.

Website;

Crediva Limited (fca.org.uk)

Email:

E: enquiry@crediva.co.uk

Phone;

T: 0808 129 3210

Cifas is the UK’s leading fraud prevention service. Their members are organisations from all sectors, sharing

their data across those sectors to reduce instances of fraud and financial crime.

Before providing you with a service we may check details against the Cifas database. For further information

on Cifas and how we process your information please see:

Cifas

Post:

Consumer Affairs, Cifas, 6

Floor, Lynton House 7-12, Tavistock

Square, London, WC1H 9LT

Website;

https://www.cigas.org.uk/fpn

Phone;

0330 100 0180

11. How long we keep your information

By providing you with products or services, we create records that contain your information, such as

customer account records, activity records, tax records and lending and credit account records. Records

can be held on a variety of media and formats (physical/paper or electronic). We manage records to

help us serve our customers (for example for operational reasons, such as dealing with any queries

relating to your account) and to comply with legal and regulatory requirements. Records help us

demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.

Retention periods for records are determined based on the type of record, the nature of the activity,

product or service. We normally keep customer account records for up to six years after your

relationship with the credit union ends, whilst other records are retained for shorter periods, for

example, 30 days for CCTV records or 6 months for call recordings. Retention periods may be changed

from time to time based on business or legal and regulatory requirements.

We may, on exception, retain your information for longer periods, particularly where we need to

withhold destruction or disposal based on an order from the courts or an investigation by law

enforcement agencies or our regulators. This is intended to make sure that the credit union will be able

Privacy Notice, v7.0

to produce records as evidence, if they’re needed.

If you would like more information about how long we keep your information, please refer to the

contact details set out in Section 1 above.

12. Security

We are committed to ensuring that your information is secure whilst held and processed by us and with

any third parties who act on our behalf. Where we do engage a third party to act on our behalf, we

ensure they undertake processing activities using the same standards as ourselves and with suitable

data processing or sharing agreements in place.

13. Complaints

We seek to directly resolve any complaints about how we handle personal information and would

request you contact us in the first instance. If you are not happy thereafter, you also have the right to

complain to the Information Commissioner’s Office (ICO) in relation to our use of your information. The

Information Commissioner’s contact details are noted below:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Or see: https://ico.org.uk/make-a-complaint/

We keep this privacy notice under regular review and if there are any significant updates, we will draw

attention to these via a banner page on our website.

Schedule A – Schedule of Purposes of Processing

We will only use and share your information where it is necessary for us to carry out our lawful business

activities. We want to ensure that you fully understand how your information may be used. We have

described the purposes for which your information may be used in detail in below:

We may process your information where it is necessary to enter into a contract with you for the provision

of our products or services or to perform our obligations under that contract. Please note that if you do

not agree to provide us with the requested information, it may not be possible for us to continue to operate

your account and/or provide products and services to you. This may include processing to:

assess and process applications for products or services;

provide and administer those products and services throughout your relationship with the credit union,

including opening, setting up or closing your accounts or products; collecting and issuing all necessary

documentation; executing your instructions; processing transactions, including transferring money

between accounts; making payments to third parties; resolving any queries or discrepancies and

administering any changes. Calls to the credit union and communications to our mobile and online

helplines may be recorded and monitored for these purposes;

A - Contractual necessity

Privacy Notice, v7.0

manage and maintain our relationship with you and for ongoing customer service;

administer any credit facilities or debts, including agreeing repayment options; and

communicate with you about your account(s) or the products and services you receive from us.

When you apply for a product or service (and throughout your relationship with us), we are required by

law to collect and process certain personal information about you. Please note that if you do not agree

to provide us with the requested information, it may not be possible for us to continue to operate your

account and/or provide products and services to you. This may include processing to:

perform checks and monitor transactions for the purpose of preventing and detecting

crime and to comply with laws relating

to money laundering, fraud, terrorist financing, bribery and

corruption, and international sanctions. This may require us to process information about criminal

convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud

and threats and to share

data with law enforcement and regulatory bodies;

assess affordability and suitability of credit for initial credit applications and throughout the duration of

the relationship, including analysing customer credit data for regulatory reporting;

share data with other banks and third parties to help recover funds that have entered your account as

a result of a misdirected payment by such a third party;

carry out checks (in addition to statutory requirements) on customers and potential customers including

screening against external databases and sanctions lists and establishing connections to politically

exposed;

share data with credit reference, fraud prevention agencies and law enforcement agencies;

share data with police, law enforcement, tax authorities or other government and fraud prevention

agencies where we have a legal obligation, including reporting suspicious activity and complying with

production and court orders;

deliver mandatory communications to customers or communicating updates to product and service terms

and conditions;

investigate and resolve complaints;

conduct investigations into breaches of conduct and corporate policies by our employees;

manage contentious regulatory matters, investigations and litigation;

perform assessments and analyse customer data for the purposes of managing, improving and fixing

data quality;

provide assurance that the credit union has effective processes to identify, manage, monitor and report

the risks it is or might be exposed to;

investigate and report on incidents or emergencies on the credit union’s property and premises;

coordinate responses to business-disrupting incidents and to ensure facilities, systems and people are

available to continue providing services; and

monitor dealings to prevent market abuse.

We may process your information where it is in our legitimate interests do so as an organisation and

without prejudicing your interests or fundamental rights and freedoms.

We may process your information in the day-to-day running of our business, to manage our business

and financial affairs and to protect our members, employees and property. It is in our interests to

ensure that our processes and systems operate effectively and that we can continue operating as a

business. This may include processing your information to:

monitor, maintain and improve internal business processes, information and data, technology and

communications solutions and services;

ensure business continuity and disaster recovery and responding to information technology and

business incidents and emergencies;

B - Legal obligation

C - Legitimate interests of the credit union

Privacy Notice, v7.0

ensure network and information security, including monitoring authorised users’ access to our

information technology for the purpose of preventing cyber-attacks, unauthorised use of our

telecommunications systems and websites, prevention or detection of crime and protection of your

personal data;

provide assurance on the credit union’s material risks and reporting to internal management and

supervisory authorities on whether the credit union is managing them effectively;

perform general, financial and regulatory accounting and reporting;

protect our legal rights and interests;

manage and monitor our property (for example through CCTV) for the purpose of crime prevention

and prosecution of offenders, for identifying accidents and incidents and emergency situations

and for internal training; and

enable a sale, reorganisation, transfer or other transaction relating to our business.

It is in our interest as a business to ensure that we provide you with the most appropriate products and

services and that we continually develop and improve as an organisation. This may require processing

your information to enable us to:

send you relevant marketing information by post (including details of other products or services

provided by us which we believe may be of interest to you);

understand our members actions, behaviour, preferences, expectations, feedback and financial

history in order to improve our products and services, develop new products and services, and to

improve the relevance of offers of products and services by the credit union;

monitor the performance and effectiveness of products and services;

assess the quality of our customer services and to provide staff training. Calls to the credit union

may be recorded and monitored for these purposes;

perform analysis on member complaints for the purposes of preventing errors and process failures

and rectifying negative impacts on members;

compensate members for loss, inconvenience or distress as a result of services, process or regulatory

failures;

identify our members use of third-party products and services in order to facilitate the uses of

customer information detailed above; and

combine your information with third-party data, such as economic data in order to understand

customers’ needs better and improve our services.

We may perform data analysis, data matching and profiling to support decision-making with

regards to the activities mentioned above. It may also involve sharing information with third parties

who provide a service to us.

It is in our interest as a business to manage our risk and to determine what products and services we

can offer and the terms of those products and services. It is also in our interest to protect our business

by preventing financial crime. This may include processing your information to:

carry out financial and credit risk assessments;

manage and take decisions about your accounts;

trace debtors and recovering outstanding debt;

for risk reporting and risk management.

Application decisions may be taken based on solely automated checks of information from credit

reference agencies and internal credit union records. For more information on how we access and use

information from credit reference and fraud prevention agencies see Section 11 – Credit reference and

fraud prevention agencies in this document.

1. We may process your information where you have given us consent to do so. Where you have

provided consent, we will process your personal information in order to send you:

D – Consent

Privacy Notice, v7.0

information about products and services which may be of interest to you and;

other forms of electronic communication.

2. We may process special categories of information where you give us explicit consent to do so. We

will only ask for your explicit consent to process special categories of data where is it necessary to do

as follows:

We believe you or another person may be at risk to protect yours or their interest

You have made the information public

It’s necessary to establish, exercise or defend a legal claim

The law determines there is a substantial public interest, but we will always consider and take

appropriate measures to safeguard your rights and privacy before doing this.