Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

We collect many different types of data. This includes information that is necessary for us to provide our products and services, to comply with our legal and regulatory obligations or to serve our legitimate business interests. Below we list the key types of data we collect, hold, use and transfer. Not all of this information is collected from every member and the examples given for each category are intended to help explain their meaning, rather than being an exhaustive list.

• Data to help identify you – this includes your name, DOB, sex
• Contact details – your address, phone numbers, email address
• Socio-demographic – details of your employment, profession, nationality, education
• Transactional – details about payments to and from your accounts
• Financial – your financial position, status and history
• Contractual – details of products and service we provide to you
• Equalities and lifestyle data – this includes ethnic origin, religious belief, sexual orientation, disability data
• Behavioural – data about how you use our products or services or interact with our website or our communication
• Consents – this includes things like how you prefer to be contacted and whether you wish to receive email statements
• Communication – data contained in letters, emails or details of phone calls or conversations
• Documentary data – details stored in documents, including ID and address verification like copies of passports, driving licenses or birth certificates.

We will never collect sensitive personal data (such as health information) without your explicit consent. There is also information about your computer hardware and software that is automatically collected by the website. This information can include your IP address (the unique identifying number of a computer), the browser you use, for example, Internet Explorer (IE), Firefox etc., domain names, access times and referring website addresses. This information is used by us for the operation of the service, to maintain the quality of the service, and to provide general statistics regarding use of the website.

The information we hold is collected through your direct interactions with us and includes the personal data you provide through:

• application forms you complete when applying for membership or new services
• when you talk to us on the phone or in branch or correspond with us by email or letter
• when you use our website or online banking
• payment and transaction data
• member surveys

As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy for further details. We may also receive personal data about you from third parties. The types of personal data we may collect includes contact details, financial, data to help identify you and transactional data collected from:

• Credit reference agencies
• Fraud prevention agencies
• Payroll service providers
• Public information sources such as Companies House, the Office for National Statistics, the Electoral Registration Office
• Government and law enforcement agencies

Under the EU General Data Protection Regulation, we can only process your personal data if we have a lawful basis for doing so. The reasons we process your personal data are:

• if you have given your consent to the processing of your data for one or more specific purposes
• if it is necessary to fulfil our contract with you
• if it is necessary to comply with a legal obligation
• if we believe it is in our legitimate interest as long as that interest is not overridden by the privacy rights of the individual whose data is being used

By ‘legitimate interest’ we mean the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. Our legitimate interests are balanced against your right to privacy and when we rely on a legitimate interest to process your data we will tell you. You always have a right to object and you can do this by speaking to a member of staff or emailing privacy@londoncu.co.uk.

Below we outline how we use your personal data, our reasons for doing so and the type of data we are referring to. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

• To manage your credit union membership
  To manage our relationship with you

  • To provide advice and information regarding our products and services

  Our lawful basis

  • Fulfilling contracts
  • Necessary to comply with a legal obligation
  • Our legitimate interest

  Type of data

  • Data to help identify you
  • Contact details
  • Transactional
  • Financial
  • Contractual
  • Behavioural
  • Communication
  • Documentary data

• To manage our banking operation

  • To deliver our products and services
  • To manage fees, charges and interest due on members accounts
  • To collect and recover money that is owed to us

  Our lawful basis

  • Fulfilling contracts
  • Necessary to comply with a legal obligation
  • Our legitimate interest

  Type of data

  • Data to help identify you
  • Socio-demographic
  • Transactional
  • Financial
  • Contractual
  • Consents
  • Behavioural
  • Documentary data

• To manage security, risk and prevent crime

  • To detect, investigate, prevent  and report financial crime
  • To manage risk for our members
  • To obey relevant laws and regulations
  • To respond to complaints and seek resolution

  Our lawful basis

  • Fulfilling contracts
  • Necessary to comply with a legal obligation
  • Our legitimate interest

  Type of data

  • Data to help identify you
  • Transactional
  • Financial
  • Contractual
  • Behavioural
  • Communications
  • Documentary data

• To manage our business

  • To run the business in an efficient and proper way, managing our financial position, business capability and corporate governance and audit
  • To develop and carry out marketing activity
  • To exercise our rights as set out in agreements or contracts

  Our lawful basis

  • Necessary to comply with a legal obligation
  • Fulfilling contracts
  • Our legitimate interest

  Type of data

  • Data to help identify you
  • Contact details
  • Transactional
  • Equalities and lifestyle data
  • Contractual
  • Consents
  • Behavioural
  • Communications

• Marketing
  We may use your personal data to tell you about relevant products and offers, this is what we mean by ‘marketing’. We can only use your personal information to send you marketing messages if we have either your consent or legitimate interest.  That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you. You can ask us to stop sending you marketing messages by contacting us at any time by sending an email to privacy@londoncu.co.uk Whatever you choose, you will still receive other important information such as notification for the AGM or changes to your existing products or services. We may ask you to confirm or update your choices, in the future. We will also ask you to do this if there are changes in the law, regulation or the structure of the business.
• People who call our telephone customer service
  When you call LCCU we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness. The company that provides this service does not retain any information from the calls or record them.
• People who email us
  We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law. Once emails have been actioned they will either be attached to a members file of deleted from the system. We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please do contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We will not share your information with anyone outside LCCU except:

• Where we have your permission;
• Where required for your product or service;
• Where we are required by law/and or by law enforcement agencies, government entities, tax authorities or regulatory bodies around the world; i.e;
  • Government agencies and regulatory authorities;
  • HM Revenue & Customs, regulators and other authorities;
  • UK Financial Service Compensation Scheme;
  • Fraud prevention agencies;

• To third party service providers, agents and sub-contractors acting on our behalf, such as the companies which manufacture our debit cards;
• To debt collecting agencies;
• To credit reference and fraud prevention agencies;
• To other companies that provide you with benefits or services (such as insurance cover) associated with your product or service;
• Where required for a sale, recognition, transfer or other transaction relating to our business;
• In anonymised form as part of statistics or other aggregated data shared with third parties; or
• Where permitted by law, it is necessary for our legitimate interests or those of a third party, and in accordance with our internal procedures.
• In the event that any additional authorised users are added to your account, you and the additional account user authorises us to pass information about you to the other user.

We will not share or sell your information to any third party to conduct their own marketing. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

• Banking and financial service providers

  • If you have a debit card we will share transactional details with companies such as MasterCard
  • If you use Direct Debit, we will share your data with the Direct Debit Scheme
  • If you apply for a current account or loan we will share your details with credit reference agencies

• Marketing

  • When we send a non-transactional email we use SendinBlue
  • We use social media to promote our products and services to members and the general public within our Common Bond.
  • We use Facebook’s custom audience and lookalike audience features. We use data collected via the Facebook pixel on the LCCU website. You can opt out of Facebook off-site tracking via Facebook Settings
  • We use Google Ads which uses similar audiences and remarketing cookies. You can opt out of Google’s use of cookies via Google Ad Settings

• Credit Reference Agencies (CRA)
  We carry out credit and identity checks when you apply for our current account or loan products. We will share your personal information with CRAs and they will give us information about you. The data we exchange can include

  • Name, address and date of birth
  • Credit application
  • Public information from sources such as Companies House
  • We will use this data to:
  • Assess whether you or your business is able to afford to make repayments
  • Make sure what you have told us is true
  • Help detect and prevent financial crime
  • Trace and recover debts

  We will go on sharing your personal information with CRAs for as long as you are a member. This will include details about your settled accounts and any debts not fully repaid on time. This will include details of funds going into the account and the account balance.  If you borrow, it will also include details of your repayments and whether you repay in full and on time. CRAs may give this information to other organisations that want to check credit status. We will also tell CRAs when you settle your account with us. When we ask CRAs about you or your business they will note this on your credit file. This is called a credit search. Other lenders may be able to see this and we may be able to see credit searches from other lenders. If you apply for a product with someone, this will link your record with theirs. We will do the same if you tell us you have a spouse, partner or civil partner or that you are in business with other partners or directors. CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You would normally need to obtain proof that you no longer have a financial link with each other. You can find out more about CRAs and how they use your information by reading this Credit Reference Agency Information Notice (CRAIN). Or visit the CRA websites:  TransUnion, Equifax & Experian.

• Fraud Prevention Agencies (FPA)
  We may need to confirm your identity before we provide you with membership or services to you or your business. Once you have become a member, we will also share your personal information as needed to help detect fraud and money laundering risks. We use Fraud Prevention Agencies to help us with this. Both LCCU and the fraud prevention agency can only use your personal information if we have a proper reason to do so. It must be needed either for us to obey the law or for a ‘legitimate interest’. By ‘legitimate interest’ we mean the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. Our legitimate interests are balanced against your right to privacy. We will use the information to:

  • Confirm identities
  • Help prevent fraud and money laundering
  • Fulfil any contract you or your business has with us.

  LCCU or a FPA may allow law enforcement agencies to access your personal information.  This is to support their duty to detect, investigate, prevent and prosecute crime. FPAs can keep personal information for different lengths of time. They can keep your data for up to six years if they find a risk of fraud or money laundering. The information we use:

  • Name
  • Date of birth
  • National Insurance Number
  • Residential address
  • History of where you have lived
  • Contact details, such as email address and phone numbers
  • Financial data
  • Data relating to you or your business
  • Employment details

  We and FPAs may process your personal information in systems that look for fraud by studying patterns in the data. We may find that an account is being used in ways that fraudsters work, or we may notice that an account is being used in a way that is unusual for you or your business. Where we or the FPA decide there is a risk of fraud, we may stop activity on your account(s) or block access to them. FPA will also keep a record of any risk associated with you or your business. This may result in other organisations refusing to provide you with products or services or to employ you. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

• Data transfer out of the EEA
  FPAs may send personal information to countries outside the European Economic Area (EEA). When they do, there will be a contract in place to make sure the recipient protects the data to the same standard as the EEA. This may include when following international frameworks for making data sharing secure. We will only send your data outside the European Economic Area (EEA) to:

  • Follow your instructions
  • Comply with a legal duty

  If we send your personal data outside the EEA we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your information. Data Security We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

• If you choose not to give your personal information
  We may need to collect personal information by law, or under the terms of a contract, we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform the services needed to run your account. It could mean that we have to cancel your membership with us but we will notify you if this is the case at the time. Any data collection that is optional would be made clear at the point of collection.

You have the right to know what information we hold about you and to ask to see your records. Individuals can find out if we hold any personal information by making a ‘subject access request’ pursuant to Article 15 of the General Data Protection Regulation ((EU) 2016/679). If we do hold information about you we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.

To make a request to LCCU to see any personal information we may hold you can complete the Subject Access Request Form. We will supply any information you ask for that we hold about you as soon as possible, but this may take up to one calendar month. We will not charge you for this. You will be asked for proof of identity as the person dealing with your request may not be the staff member you have met before. We need to be sure we are only releasing your personal data to you. If we do hold information about you, you can ask us to correct any mistakes by contacting us.

• Right to be informed
  You have the right to be informed about how your personal data will be used. This statement as well as any additional information or notice that is provided to you either at the time you provided your details or otherwise, is intended to provide you with this information.
• Right to data portability
  Where we are processing your personal data because you have given us your consent to do so, you have the right to request that the data is transferred from one service provider to another.
• Disclosure of personal information
  In many circumstances, we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.
• How long we keep your personal information
  We will keep your personal information for as long as you are a member. After you stop being a member we may keep your data for up to 6 years for one of these reasons:

  • To respond to any questions or complaints
  • To show that we treated you fairly
  • To maintain records according to rules that apply to us.

  In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

• Letting us know if your personal information is incorrect
  You have the right to question any information we have about you that you think is wrong or incomplete and if you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. Please contact us if you want to do this. If you do, we will take reasonable steps to check its accuracy and correct it. If you believe the information we hold about you is out of date or incorrect please notify a member of staff or email privacy@londoncu.co.uk.
• What if you want us to stop using your personal information
  Where we process your data on the basis of your consent (for example, to send you marketing e-mails) you can withdraw that consent at any time. To do this, or to discuss this right further with us, please contact us. You also have a right to object to us processing data where we are relying on it being within our legitimate interests to do so (for example, to send you direct marketing by post). To do this, or to discuss this right further with us, please contact us. In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage. In some cases, you have the right to be forgotten (i.e. to have your personal data deleted from our database). Where you have requested that we do not send you marketing materials we will need to keep some limited information in order to ensure that you are not contacted in the future.
• How to withdraw your consent
  You can withdraw your consent at any time. Please contact us if you want to do so. If you withdraw your consent, we may not be able to provide you with your membership, products or services if this is so we will tell you.
• How to complain
  If you are unhappy with the way in which we have used your personal information you can let us know by sending an email to privacy@londoncu.co.uk. Alternately, you can let us know in branch or by using the contact form on this website. You also have the right to complain to the Information Commissioners Officer.
• People who make a complaint to us
  When we receive a complaint we will open a case file that contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide. Annually, we report to the Financial Conduct Authority on how many complaints we receive, relating to which regulated banking categories and the outcomes. This data is anonymized. We usually disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. It will not be possible to handle a complaint on an anonymous basis. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. Similarly, where inquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Open Banking is the secure way of providing access to your bank or building society account to providers who are registered for this purpose.

Registered providers and participating banks and building societies are listed under the Open Banking Directory.

Open Banking was set up by the UK Government to encourage more competition and innovation in the financial services sector.

As a forward thinking lender, we support the use of Open Banking as it allows us to process loan applications efficiently, securely and in our consumer’s best interests.

By permitting access to your bank or building society account information we are able to make a better lending decision as we shall be able to verify your income, outgoings and other matters in order to assess what loan terms would be suitable for you based upon what you can reasonably afford to repay.

Further information about Open Banking is available from www.openbanking.org.uk.

• How will my personal data be shared and used for the purposes of Open Banking?

  When proceeding with your loan application via our website you must expressly consent to us sharing your personal, contact and loan application details (“the Shared Personal Data”) with our registered Open Banking partner, Perfect Data Solutions Limited (“PDS”) who are also a credit reference agency. During your loan application we shall safely and securely direct you to PDS’s secure portal (“the Portal”) for the purposes of granting PDS access to your bank or building society account information (“Transaction Information”). As soon as your Transaction Information is received it shall be reported back to us in the form of a completed search in order that we may continue to process your loan application (“the Permitted Purpose”).

  Further information about PDS including their registered provider and regulatory status is available from www.lendingmetrics.com.

• Is Open Banking secure?

  PDS are registered under the Open Banking Directory as an account information service provider and are also regulated by the Financial Conduct Authority as a payment services firm under number 802599. Any data you submit via the Portal will be encrypted and its usage tracked as part of set Open Banking data security standards.

  We are responsible for the secure transmission of any Shared Personal Data to PDS, for safely directing you to the Portal and for the safe receipt and usage of your Transaction Information.

  You will not be required to share your banking password or log in details with either us or PDS. Once you have given your explicit consent to share your bank account information on the Portal you will be directed to your own bank or building society’s login page where you will enter in your own login details directly.

  Save as set out above or elsewhere in this Privacy Policy, we are not responsible for your direct data transmissions with PDS or with your own bank or building society.

• How will my Shared Personal Data and Transaction Information be used?

  PDS shall, subject to their own terms and conditions and privacy policy, and, if your bank or building society is registered to provide access under the Open Banking Directory, obtain your Transaction Information and submit this back to us for the Permitted Purpose. By way of example, the Transaction Information that we shall receive is likely to include information relating to your income, outgoings and credit worthiness.

  PDS shall be entitled to re-access your Transaction Information for up to 90 days from the date of your original search result in order to refresh the search results, obtain a snapshot of your data or gather additional data. PDS shall hold the Shared Personal Data and the Transaction Information they receive and retain according to their own terms and conditions and privacy policy, available on the Portal, which you will be required to read and consent to once directed their via our website. As PDS are also a credit reference agency they may also share and keep a record of your Shared Personal Data and Transaction Information.

• Will you use my Transaction Information data for any other purpose?

  The Transaction Information we receive about you will only be used for the Permitted Purpose. We do not sell or share Transaction Information with any third party. Save as set out above the information contained in the rest of this Privacy Policy deals with how we collate, use, transfer, store, delete and other terms applicable to your personal data including Shared Personal Data and Transaction Information.

• Do I have to provide you with my consent to proceed?

  To benefit from Open Banking you will need to expressly consent to allow the Shared Personal Data to be transferred to PDS. A refusal to consent does not prejudice your loan application but it may delay a loan decision. If you refuse consent to use Open Banking you will need to submit suitable supporting proof of income documents alongside your loan application.

  Where your bank or building society have already permitted access to your Transaction Information you shall need to contact them directly in order to withdraw your consent under their particular Open Banking terms and conditions.

• Are any of my other rights under this Privacy Policy affected?

  Your individual data protection and privacy rights including the right to access, correct, delete, object, restrict, withdraw consent, request transfer and/or make a complaint, continue to apply to relevant personal data we control or process and are dealt with elsewhere in this Privacy Policy.

  Under Open Banking as your personal data is shared by your bank or building society and accessed by PDS you may also be able to exercise your individual data protection and privacy rights against either of them pursuant to their own terms and conditions and privacy policies.

We may update this policy from time to time without notice to you, so please check it regularly. The privacy policy was last updated on 22 January 2021. An amendment was made to include details on our Open Banking privacy policy.