Privacy

Who are we and what do we do?

Stockport Credit Union Ltd (SCU) is the controller of the data we hold about you to manage all matters related to savings, lending, credit control and exercising the rights of the lender in relation to your membership.

What information do we hold, why do we process it, & how long do we keep it for?

We use your information only for the purposes of savings, lending, membership of the credit union, credit control, exercising the rights of the lender, and processes associated with servicing membership.

This Privacy Notice outlines the different processing activities we as controllers perform with your personal data as part of our operations in line with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Processing activities

Registered Office: First House, 367 Brinnington Road, Brinnington, Stockport. SK5 8EN

Tel: 0161 430 5808 Email: mail@stockportcu.com

Website: www.stockportcu.com

Authorised by the PRA and authorized and regulated by the FCA (Reference number: 213305)

In order to pursue the above purposes and to act appropriately and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe.

Type of information	Reason for processing	Legal basis for processing	How long we keep your information
Personal information Contact and membership information, such as your name, address, date of birth, national identification number and details of previous communication with us, for example records, emails and letters.	Where we process your information on the basis of "legitimate interests", If we don't process your information, we can't: make sure we are dealing with the correct person and the information is correct; manage your membership in the way that we believe is in your best interests; provide you withadditional supportwhen you need it.	We have a legitimate interest in processing your data as part of your membership, savings/shares that you hold in SCU and making fair decisions regarding lending and credit control. This is created through your Article Six rights in the Data Protection Act 2018. We must make sure that those legitimate interests do not override your interests, rights and freedoms. Once your membership has been closed, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Dispute Resolution Rules, Capital requirements rules etc.	Seven years from when the membership is closed, at which point it will be deleted or anonymised. Where a complaint has been made, personal data and the complaint outcome may be retained for at least three years after the complaint has been resolved which may extend the time we retain your data. We are required to keep a list of ex-members as part of the Co-operative and Community Benefit Societies Act 2014. Information retained for this purpose will be minimised to that only required by law.
Financial Information Payment information, such as your bank account number, to set up direct debit or process your payments. Credit reference information, such as historical addresses, credit application data, and credit score information.	We are required to understand the financial circumstances of our customers so we can process payments and provide the most appropriate and fair outcomes.	Payment information is retained whilst a payment arrangement is active. Limited information (e.g. account number and sort code) is retained until seven years after membership closure. Credit reference data is retained for three years from when we acquired the information, at which point it will be deleted.
Sensitive Information Under the data protection rules, information which we may need to process revealing the following are 'special categories of personal data' including that regarding your health or any other factor that may have an impact on your ability to deal with us.	We need to make sure: we comply with the FCA's requirements to treat you fairly; and understand whether your condition has or may have an impact onyour ability to pay the amounts you owe or communicate with us	We only collect the minimum amount of information about any physical or mental health conditions you may have. Sensitive data will only be collected with your consent or where your Economic Wellbeing under the Data Protection Act 2018 means you cannot give consent; the firm is unable to ask for consent; or obtaining consent would prejudice SCU’s ability to put in measures to protect our customers. You can remove your consent at any time.	Seven years from when the membership is closed at which point it will be deleted. Where you remove your consent, your data will be deleted immediately.
Third Party Information Where you have designated a beneficiary in the event of your death and have provided us with their contact information.	Beneficiary contact information is retained only for two purposes. If we are notified that you are deceased, we will request a death certificate and then attempt to contact the beneficiary. If your membership is eligible for insurance payments as a result of your death, we will contact your beneficiary regarding this.	We only collect the minimum information from your members regarding their nominated beneficiary. This is limited to contact information only. After the point of collection, beneficiary information will only be processed in the event of the member’s death to protect the Economic Wellbeing under the Data Protection Act 2018 of the beneficiary.	Beneficiary data is retained alongside all membership data and will therefore be removed at either the request of the member/beneficiary or retained seven years from when the membership is closed at which point it will be deleted.
Onsite Visitors and Job Candidates We are based in First House which is owned and operated by Stockport Homes Ltd. In addition to CCTV recordings, identification data maybe obtained to permit access to the secure building. In addition, job candidate data including CV and credit search data will be kept for six months where the applicant was unsuccessful. For successful candidates, data retention guidelines can be found in the Employee Handbook	For the safety and security of staff, the building and our visitors, we are required to identify and process personal data	Data is legitimately processed for the purposes of consent being provided before the information is obtained	Where SCU control the personal data, we will delete all data within six months of your visit. Where personal data like CCTV is held, this is governed by Stockport Homes Ltd. For details regarding their data retention rules, please contact “assurance@stockporthomes.org”

Type of information

Reason for processing

Legal basis for processing

How long we keep your information

Personal information

Contact and membership information, such as your name, address, date of birth, national identification number and details of previous communication with us, for example records, emails and letters.

Where we process your information on the basis of "legitimate interests", If we don't process your information, we can't:

make sure we are dealing with the correct person and the information is correct;
manage your membership in the way that we believe is in your best interests;
provide you withadditional supportwhen you need it.

We have a legitimate interest in processing your data as part of your membership, savings/shares that you hold in SCU and making fair decisions regarding lending and credit control. This is created through your Article Six rights in the Data Protection Act 2018.

We must make sure that those legitimate interests do not override your interests, rights and freedoms.

Once your membership has been closed, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Dispute Resolution Rules, Capital requirements rules etc.

Seven years from when the membership is closed, at which point it will be deleted or anonymised.

Where a complaint has been made, personal data and the complaint outcome may be retained for at least three years after the complaint has been resolved which may extend the time we retain your data.

We are required to keep a list of ex-members as part of the Co-operative and Community Benefit Societies Act 2014. Information retained for this purpose will be minimised to that only required by law.

Financial Information

Payment information, such as your bank account number, to set up direct debit or process your payments. Credit reference information, such as historical addresses, credit application data, and credit score information.

We are required to understand the financial circumstances of our customers so we can process payments and provide the most appropriate and fair outcomes.

Payment information is retained whilst a payment arrangement is active. Limited information (e.g. account number and sort code) is retained until seven years after membership closure.

Credit reference data is retained for three years from when we acquired the information, at which point it will be deleted.

Sensitive Information

Under the data protection rules, information which we may need to process revealing the following are 'special categories of personal data' including that regarding your health or any other factor that may have an impact on your ability to deal with us.

We need to make sure:

we comply with the FCA's requirements to treat you fairly; and
understand whether your condition has or may have an impact onyour ability to pay the amounts you owe or communicate with us

We only collect the minimum amount of information about any physical or mental health conditions you may have.

Sensitive data will only be collected with your consent or where your Economic Wellbeing under the Data Protection Act 2018 means

you cannot give consent;
the firm is unable to ask for consent; or
obtaining consent would prejudice SCU’s ability to put in measures to protect our customers.

You can remove your consent at any time.

Seven years from when the membership is closed at which point it will be deleted.

Where you remove your consent, your data will be deleted immediately.

Third Party Information

Where you have designated a beneficiary in the event of your death and have provided us with their contact information.

Beneficiary contact information is retained only for two purposes.

If we are notified that you are deceased, we will request a death certificate and then attempt to contact the beneficiary.
If your membership is eligible for insurance payments as a result of your death, we will contact your beneficiary regarding this.

We only collect the minimum information from your members regarding their nominated beneficiary. This is limited to contact information only.

After the point of collection, beneficiary information will only be processed in the event of the member’s death to protect the Economic Wellbeing under the Data Protection Act 2018 of the beneficiary.

Beneficiary data is retained alongside all membership data and will therefore be removed at either the request of the member/beneficiary or retained seven years from when the membership is closed at which point it will be deleted.

Onsite Visitors and Job Candidates

We are based in First House which is owned and operated by Stockport Homes Ltd. In addition to CCTV recordings, identification data maybe obtained to permit access to the secure building. In addition, job candidate data including CV and credit search data will be kept for six months where the applicant was unsuccessful. For successful candidates, data retention guidelines can be found in the Employee Handbook

For the safety and security of staff, the building and our visitors, we are required to identify and process personal data

Data is legitimately processed for the purposes of consent being provided before the information is obtained

Where SCU control the personal data, we will delete all data within six months of your visit.

Where personal data like CCTV is held, this is governed by Stockport Homes Ltd. For details regarding their data retention rules, please contact “assurance@stockporthomes.org”

Where do we get the information from?

From You:

We initially receive the information from you as part of your membership application. However, we also get information directly from you, such as when you talk to one of our colleagues or send us a new application, letter, email or text providing us with your new address, payment details, or any other information.

We may also retain records of your access to, and use of our website to enhance your experience. Please see the cookies page for further information.

From Third Parties:

Finally, we may also obtain information from third parties in order to increase the accuracy of the information we hold and/or to gain a better understanding of your circumstances. These third parties are credit reference agencies, public government records, and other organisations which provide services to improve the quality of the data we hold about you.

Two examples of these third parties are Nivo Solutions Ltd (company number 10744928) as a mobile IT application for member communications and Ofido Ltd (company number 07479524) for Identification checks. In some cases, these third parties will be Controller’s over the data you provide them and will therefore have their own privacy notices regarding how your data will be processed.

We may also obtain information via Open Banking following your permission during the loan

application process.

Open Banking is the secure way of providing access to your bank or building society account to providers who are registered for this purpose. Registered providers and participating banks and building societies are listed under the Open Banking Directory. Open Banking was set up by the UK Government to encourage more competition and innovation in the financial services sector.

We support the use of Open Banking as it allows us to process loan applications efficiently, securely and in our consumer’s best interests. By permitting access to your bank or building society account information we are able to make a better lending decision as we shall be able to verify your income, outgoings and other matters in order to assess what loan terms would be suitable for you based upon what you can reasonably afford to repay. Further information about Open Banking is available from www.openbanking.org.uk

By proceeding with your loan application via our website you expressly consent to us sharing your personal, contact and loan application details. This is done through our mobile app partner NIVO and a third party regulated supplier TrueLayer (truelayer.com – authorised and regulated by the FCA under the Payment Services Regulations 2017 and Electronic Money Regulations 2011). As soon as your Transaction Information is received it shall be reported back to us in the form of a completed search in order that we may continue to process your loan application. This information will be retained alongside your loan application in line with the same retention period detailed above.

Disclosure of your information

We do not disclose your information except in the following limited circumstances:

We may share your personal information with third party suppliers who help us service your membership and provide us with technical services including IT and finance. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any sharing is subject to security and privacy requirements.

We may also share your personal data with carefully vetted organisations, who must comply with our strict security and privacy requirements and follow our guidelines, for the following purposes:

To assist us in managing your membership and/or maintaining accuracy of the information we hold about you. An example of this would be credit reference agency reporting.
To provide us with specialised services to run our business. An example would be the marketing company that sends out our physical letters to you.

Finally, we may also disclose your personal information to third parties:

In the event we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use or to protect our rights, property or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, or with authorities for the purposes of tax reporting or anti-money laundering.
If we believe you are in immediate danger, we may process information (including sharing this information with the emergency services) on the basis that it may be a life and death situation.

Your information will generally be kept within the UK/EU/EEA or in countries deemed by the European Commission to have an adequate level of protection; only for limited purposes and temporarily may data be transferred to other countries. In all cases, however, we have technical, organisational, and contractual protections in place to keep the information safe and to ensure an adequate level of protection. Contractually, transfers outside the UK/EU/EEA to countries without an adequacy decision by the European Commission will be based on standard data protection clauses adopted by the European Commission, a copy of which may be obtained by contacting us. For transfers to the USA and other third country transfers we rely solely on standard contractual clauses, SCC's.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our specific instruction, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable authority of a suspected breach where we are legally required to do so.

Your statutory data protection rights

Object to processing

You have the right to object to us processing your data if the processing itself is an unwarranted interference with your interests or rights. You can find out more about how and why we process your personal data above.

If you still believe that you have a valid and justifiable reason to exercise this right you can contact us by email (mail@stockportcu.com) or write to Stockport Credit Union, First House, 367 Brinnington Road, Stockport SK5 8EN.

Restrict Processing

If you believe we are processing your personal data unlawfully or you believe that we no longer need your personal data you have the right to request that we restrict the processing of your personal data.

Right to be forgotten

Under data protection legislation you have the right to request that we delete your personal data if you believe we no longer have a lawful basis to process it. If you feel that we should not be processing your personal data you can submit a request by email mail@stockportcu.com or write to Stockport Credit Union, First House, 367 Brinnington Road, Stockport SK5 8EN.

Right to rectification

Upon obtaining personal data we conduct checks to validate that it is accurate as we are reliant on you and other third parties to provide us with correct information. If you believe that any of the personal data we hold for you is incorrect, it is important that you make us aware as soon as possible, for example if you have a new phone number or have moved address. Where you raise a dispute regarding the accuracy of personal or financial information we hold, we will seek to resolve the dispute prior to rectifying or deleting any data.

Automated profiling and decision-making

At times, we use the personal data we hold on you to conduct profiling and automated decisions, for example, to predict how likely you are able to pay back your outstanding balance or how best to engage with you.

The new data protection legislation changes stipulate that where profiling or automated decision making produces a legal effect or similarly significantly affects you, we need to make you aware of your right to object.

SCU use credit reference information to profile and make decisions during the credit application process.

If you have any further questions regarding any of the above information or wish to object to automated processing please contact our Data Protection Officer on: mail@stockportcu.com

Your right to portability

You have the right to request that we transfer personal data you have provided to us either to yourself or to another data controller. You can exercise the right to data portability by contacting us by email mail@stockportcu.com or write to Stockport Credit Union, First House, 367 Brinnington Road, Stockport SK5 8EN.

Accessing your data

You have the right to see the personal data relating to you that we hold. As a data controller we will also ensure that we provide any additional personal data that any of our data processors may hold about you. We take the protection of your personal data seriously, so we reserve the right to request proof of your identity before supplying any personal data.

Once we have validated your identity, we will respond to your request within one calendar month. We typically will send your personal data in an encrypted format. If however, you wish to receive it in a different format for example, as a printed document then please let us know.

In order to make this request please contact us by email mail@stockportcu.com or write to Stockport Credit Union, First House, 367 Brinnington Road, Stockport SK5 8EN.

Changes to this privacy policy

We regularly review this privacy policy. We will notify you of any substantial updates and any updates that affect you 2 weeks in advance. Minor changes to the policy, such as making it clearer, will be implemented without directly notifying you.

This privacy policy was last updated 2nd February 2023.

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about

you or the basis upon which we process such information:

You can contact our Data Protection Officer (DPO) by email mail@stockportcu.com or write to Stockport Credit Union, First House, 367 Brinnington Road, Stockport SK5 8EN.

Credit Referencing Agencies

In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at:

Transunion at www.transunion.co.uk/crain
Equifax at www.equifax.co.uk/crain
Experian at www.experian.co.uk/crain

They may retain information for up to 6 years after any credit agreement between us has ended. When we share this information all parties conform to industry standards.

Credit Reference Agencies also share information about people with many financial organisations. Their records can tell us:

whether you have kept up with paying your bills, rent or mortgage, and other debts such as loans, phone and internet contracts;
your previous addresses;
information on any businesses you may own or have owned or directed;
whether you are financially linked to another person, for example by having a joint account or shared credit;
whether you have changed your name;
whether you have been a victim of fraud.

Where you are financially linked to another person their records can provide us with details about that person’s credit agreements and financial circumstances.

They also use publicly available information to record information about people, including information from:

The Royal Mail Postcode Finder and Address Finder;
The Electoral Register;
Companies House;
The Accountant in Bankruptcy and other UK equivalents;
The Insolvency Service and other UK equivalents;
County Court Records.
your age, address and whereabouts;
whether you are on the Electoral Register;
whether you have been declared bankrupt;
whether you are insolvent; and
whether there are any County Court Judgements against you.

Credit Reference Agencies may also be Fraud Prevention Agencies.

We use this information to help us make sure we are lending our money responsibly and to help us decide whether a loan is appropriate for you. We cannot do this without:

confirming your identity;
verifying where you live;
making sure what you have told us is accurate and true;
checking whether you have overdue debts or other financial commitments; and
confirming the number of your credit agreements and the balances outstanding together withyour payment history.

We also have a duty to protect the Credit Union and the wider society against loss and crime, so we use and share Credit Reference Agency information:

to identify, prevent and track fraud;
to combat money laundering and other financial crime; and
to help recover payment of unpaid debts.

We use information in this way to fulfil our contract to you, to meet our legal and regulatory responsibilities relating to responsible lending and financial crime, to protect the Credit Union from loss, to pursue our legitimate interests and to prevent crime.

Automated assessment

We may use automated decision making in processing your personal and financial information to make credit decisions.

It is our policy to manually review automated decisions whenever possible. However, you have the right to request a manual review of the accuracy of any decision we make if you are unhappy with it. The Credit Union uses a company called NestEgg Ltd to process this data on our behalf. NestEgg Ltd provides an automated ‘decision’ to help the Credit Union make it easy for members to apply for loans and savings accounts. NestEgg Ltd is not responsible for making decisions, they do not see your personal information. Their software makes a recommendation to a loans officer.

When you apply for a loan and / or savings account up to five searches may appear on your credit file. For the purposes of credit scoring, this will typically only affect your credit score as if one credit application were made.

Each of these five ‘footprints’ relate to the different sources of data being used to assess an application; these include the credit report itself and an affordability check. The Credit Union needs to prove the information belongs to you which is when an ID check is required. In cases where an application is made by a new member; the Credit Union will use an ID check and may also run a report to check ownership of any bank account details you may give us. These checks are required by law to prevent money laundering.

Some of these footprints will be in the name of NestEgg Ltd and others in the name of the Credit Union.

Fraud Prevention Agencies

We use your information to carry out checks for the purposes of preventing fraud and money laundering. These checks require us to process and share personal data about you. The personal data can include information that you have shared with us in making your loan application, other information we have collected or hold about you, or information we receive from third parties such as Credit Reference Agencies.

We will share your:

name;
address;
date of birth;
contact details;
financial information;
employment details;
Device identifiers, including IP address; and
Any other information that it is in our legitimate interest to share in order to prevent or detectfraud, or that we are legally obliged to provide.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your data in these ways because we have a legitimate interest in preventing fraud and money laundering in order to protect our business and to comply with laws that apply to us.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the loan or any other services you have asked for. We may also stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by fraud prevention agencies and may result in others refusing to provide services, financing or employment to you. If you have any questions about this then please contact us.