Privacy Policy

Criminal Offence Data is a type of personal data which is subject to additional controls, given that the impact of any unlawful processing of this data on an individual could be particularly significant. Charity Bank will only process Criminal Offence Data in relation to our employees and those individuals otherwise providing services to Charity Bank (such as our Directors) and will only do so if the role they are performing for Charity Bank is regulated or is one which requires Charity Bank to have specific reassurance that the individual is suitable for the role. For this reason, the processing of Criminal Offence data is not covered in this Privacy Notice.

We are very unlikely in the ordinary course of business to process any data in order to protect your vital interests or the vital interests of another individual. If we found ourselves in the position of having to share personal data about you with the emergency services in order to protect you from an imminent threat to your life, we would do so and you would not have the right to object to us doing so. It is highly unlikely, however, that we will hold personal data which would be of use to the emergency services and which they could not find out from a more appropriate source (such as your doctor/ medical professional or next of kin.

We are legally permitted to process your data when we need to do so to promote our “legitimate interests”, provided that there is no overriding duty to protect the rights of the individual. This is the most common “lawful basis for processing” as it ensures that we can continue to process data to the extent we need to do so to run our business effectively, provided that we respect your rights and manage your personal data in a responsible manner. Examples of “legitimate interests” specifically mentioned in the GDPR include: (i) use of customer and employee data, (ii) marketing, (iii) fraud/crime prevention and (iv) IT security. Before we rely upon this lawful basis for processing, we will carry out an impact assessment to ensure that our intended processing is proportionate and that we respect your rights and interests. This will be particularly important where we intend to process the personal data of someone under the age of 18 or someone who is particularly vulnerable or where the personal data is of a sensitive or private nature. If we rely upon “legitimate interests” as our lawful basis for processing your personal data then you can still object to that processing and you can ask us to delete your data. You will not have the legal right, however, to ask us to transfer that data to another provider.

We are legally permitted to process your data when we need to do so in order to comply with a legal obligation to which we are subject (this does not include contractual obligations which is a separate basis for processing). We do not need to have your consent to carry out this processing and you do not have the right to object. You do not have the right to request that we delete the personal data we hold; nor do you have the right to request that we transfer that data to another provider. This is because we do not have a choice as to whether or not we process your data but are required to do so to in order to comply with our own legal obligations.

We are legally permitted to process your data when we need to do so in order to fulfil our contractual obligations to you or when you have asked us to do something before entering into a contract with us. We do not need to have your consent to carry out this processing and you do not have the right to object. You may request that we delete any personal data which we hold which you think that we don’t need, but please bear in mind that we will be legally entitled to continue to process your personal data to the extent we need to do so in order to fulfil our contractual obligations to you. If you wish us to stop processing that data altogether, you will have to terminate your contract with us in accordance with its terms. You may request that we transfer your personal data to another provider and we will be obliged to do so; but we may need to continue to process your personal data for a period of time to ensure a smooth transition to the new provider. We will retain a record of your personal data beyond the expiry of the contract to ensure that we have an accurate audit trail which meets our legal and regulatory obligations. This Privacy Notice sets out the maximum retention period for different types of personal data collected at different stages of the customer journey.

We are legally permitted to process your data where you have agreed that we may do so. By law, your agreement must be freely given, specific, informed and unambiguous. We are required to keep a record of how you have communicated your consent to us. Our records may include copy correspondence (including emails), file notes, completed forms or entries within our IT systems. You are free to withdraw your consent at any time and can do so by contacting our Data Protection Lead. You also have the right under the GDPR to request that we erase any personal data which we have been processing with your consent or that we transfer that data to a third party you have nominated. It is important for you to remember that consent is not required for all the processing we carry out.

Under the GDPR, organisations are required to have a legal reason to process the personal data they collect in different situations and to notify individuals of that reason. You should understand the different reasons for the processing of your data in different situations because the lawful basis for the processing affects the legal rights you have (in terms of asking Charity Bank to change the way we process your personal data). This Privacy Notice states the lawful basis for the processing in each of the different situations contained within the document. If you are unclear at any time as to which lawful basis for processing applies to the processing of your data at any particular time, you should contact our Data Protection Lead with a request for clarification.