Skip to content

Privacy Policy

September 2018 update, version 4, Privacy Notice

At Charity Bank we are committed to protecting and respecting your privacy and we want you to be familiar with how we manage personal information which you share with us. This privacy notice tells you what to expect when Charity Bank collects personal information from you.

Data Controller

Charity Bank is registered with the Information Commissioner’s Office (ICO) as a Data Controller. Our registration number is Z6540626 and you can find details of our registration here. We review and update our register entry every year.

Data Protection Queries

If you have any queries relating to Charity Bank’s registration as a data controller and/or its use of your personal data, you should contact our Data Protection Lead at GDPR@charitybank.org or Data Protection, Fosse House, 182 High Street, Tonbridge, Kent, TN9 1BE.

Guidance/Definitions

In this privacy notice, we use some new technical terms which are defined in the General Data Protection Regulation (GDPR) and related legislation. 

To help you to better understand this Privacy Notice, and your rights in relation to how we process your personal information, we have summarised the meanings of these terms and their relevance to you in the table below:

Lawful Basis for Processing

Under the GDPR, organisations are required to have a legal reason to process the personal data they collect in different situations and to notify individuals of that reason. You should understand the different reasons for the processing of your data in different situations because the lawful basis for the processing affects the legal rights you have (in terms of asking Charity Bank to change the way we process your personal data). This Privacy Notice states the lawful basis for the processing in each of the different situations contained within the document. If you are unclear at any time as to which lawful basis for processing applies to the processing of your data at any particular time, you should contact our Data Protection Lead with a request for clarification.

Consent

We are legally permitted to process your data where you have agreed that we may do so. By law, your agreement must be freely given, specific, informed and unambiguous. We are required to keep a record of how you have communicated your consent to us. Our records may include copy correspondence (including emails), file notes, completed forms or entries within our IT systems. You are free to withdraw your consent at any time and can do so by contacting our Data Protection Lead. You also have the right under the GDPR to request that we erase any personal data which we have been processing with your consent or that we transfer that data to a third party you have nominated. It is important for you to remember that consent is not required for all the processing we carry out.

Contractual Performance

We are legally permitted to process your data when we need to do so in order to fulfil our contractual obligations to you or when you have asked us to do something before entering into a contract with us. We do not need to have your consent to carry out this processing and you do not have the right to object. You may request that we delete any personal data which we hold which you think that we don’t need, but please bear in mind that we will be legally entitled to continue to process your personal data to the extent we need to do so in order to fulfil our contractual obligations to you. If you wish us to stop processing that data altogether, you will have to terminate your contract with us in accordance with its terms. You may request that we transfer your personal data to another provider and we will be obliged to do so; but we may need to continue to process your personal data for a period of time to ensure a smooth transition to the new provider. We will retain a record of your personal data beyond the expiry of the contract to ensure that we have an accurate audit trail which meets our legal and regulatory obligations. This Privacy Notice sets out the maximum retention period for different types of personal data collected at different stages of the customer journey.

Legal Obligation

We are legally permitted to process your data when we need to do so in order to comply with a legal obligation to which we are subject (this does not include contractual obligations which is a separate basis for processing). We do not need to have your consent to carry out this processing and you do not have the right to object. You do not have the right to request that we delete the personal data we hold; nor do you have the right to request that we transfer that data to another provider. This is because we do not have a choice as to whether or not we process your data but are required to do so to in order to comply with our own legal obligations.

Vital Interests

We are very unlikely in the ordinary course of business to process any data in order to protect your vital interests or the vital interests of another individual. If we found ourselves in the position of having to share personal data about you with the emergency services in order to protect you from an imminent threat to your life, we would do so and you would not have the right to object to us doing so. It is highly unlikely, however, that we will hold personal data which would be of use to the emergency services and which they could not find out from a more appropriate source (such as your doctor/ medical professional or next of kin.

Legitimate Interests

We are legally permitted to process your data when we need to do so to promote our “legitimate interests”, provided that there is no overriding duty to protect the rights of the individual. This is the most common “lawful basis for processing” as it ensures that we can continue to process data to the extent we need to do so to run our business effectively, provided that we respect your rights and manage your personal data in a responsible manner. Examples of “legitimate interests” specifically mentioned in the GDPR include: (i) use of customer and employee data, (ii) marketing, (iii) fraud/crime prevention and (iv) IT security. Before we rely upon this lawful basis for processing, we will carry out an impact assessment to ensure that our intended processing is proportionate and that we respect your rights and interests. This will be particularly important where we intend to process the personal data of someone under the age of 18 or someone who is particularly vulnerable or where the personal data is of a sensitive or private nature. If we rely upon “legitimate interests” as our lawful basis for processing your personal data then you can still object to that processing and you can ask us to delete your data. You will not have the legal right, however, to ask us to transfer that data to another provider.

Special Category Data

Special Category Data is a type of personal data which is more sensitive, or which could create more significant risks to an individual’s fundamental rights and freedoms, than standard personal data. For example, unlawful processing could put an individual at higher risk of unlawful discrimination. Examples of Special Category Data include information about an individual’s race, ethnic origin, political views, religion, trade union membership, genetics, biometrics (when used for ID purposes), health, sex life or sexual orientation. We will only process Special Category Data of our employees, not our customers or other business contacts. For this reason, the processing of Special Category Data is not covered in this Privacy Notice. For the avoidance of doubt, whilst at times individual employees of Charity Bank might make inferences about an individual from information with which we have been provided (such as assuming an individual’s race or ethnic origin or political views or religious affiliation from the type of organisation with which they are associated), Charity Bank does not actively seek to collect or hold Special Category Data in respect of our customers or other business contacts and does not at any time record or process this information.

Criminal Offence Data

Criminal Offence Data is a type of personal data which is subject to additional controls, given that the impact of any unlawful processing of this data on an individual could be particularly significant. Charity Bank will only process Criminal Offence Data in relation to our employees and those individuals otherwise providing services to Charity Bank (such as our Directors) and will only do so if the role they are performing for Charity Bank is regulated or is one which requires Charity Bank to have specific reassurance that the individual is suitable for the role. For this reason, the processing of Criminal Offence data is not covered in this Privacy Notice.

The types of information we routinely collect about individuals

In summary, we routinely collect the following personal data in relation to our customers and business contacts:

  • Name (including details of previous names (or aliases), where relevant)
  • Address (including previous addresses, where relevant)
  • Email address
  • Phone number (mobile/landline/work/home)
  • Bank account details (for the transfer of funds) (personal savers only)
  • Date of birth (personal savers only)
  • Job title/role description (for trustees/managers/contacts at organisations only)
  • Information included within a CV (for trustees/managers at borrowers only)
  • Details of other relevant appointments (current or past) (for trustees/managers at borrowers only)
  • Identification documents (credit check validation) (personal savers only).

On occasions, we may collect and process additional personal data but this will only be where this is relevant to our relationship with you, and we will explain clearly in our correspondence with you why we are requesting that data, how it will be used and for how long we will keep it.

As you would expect, we collect and process more personal data in relation to our own personnel (including applicants), but this is not within the scope of this Privacy Notice.

Please click on the relevant link below.

Personal Saver: Just heard about Charity Bank

Individuals we think will be interested in savings accounts

Type of Personal Data we would typically hold

Name, address, email address, phone number, selection criteria

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Details kept on file for 18 months, if no response. Records of Data Subject objections or requests for restrictions to be placed on processing kept indefinitely. If application made, then until the application is accepted (then “current customer”).

Personal Saver: Interested in opening an account

Individual interested in personal savings accounts

Type of Personal Data we would typically hold

Name, address, email address, phone number

Lawful Basis for Processing

Legitimate Interests (to respond to your enquiry; to send you information about our organisation, our products and services; to invite you to relevant events; to open your account)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Until account opening (then “current customer”). No more than 6 months from decision not to proceed.

Data Sharing

For more information about the application process and third parties involved in that process, please click here.

Personal Saver: Active customer

Individual with active savings account(s)

Type of Personal Data we would typically hold

Name, address, email address, phone number, bank account number(s), date of birth

Lawful Basis for Processing
  1. Contractual obligation
    (to run and monitor your account)
    and
  2. Legitimate Interests
    (to send you information about our other products and services; to invite you to relevant events; to keep business records relating to your account)
Your Privacy Rights

Access
Correction/Rectification
Deletion
Right to portability
(No right to object to/restrict processing)

How long we would usually keep your Personal Data for

Until account closed (then “previous customer”).

Personal Saver: No longer a customer

Individual with closed personal savings account

Type of Personal Data we would typically hold

Name, address (as at closure of account)

Lawful Basis for Processing

Legitimate Interests (to maintain an audit trail; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
(No right to portability)

How long we would usually keep your Personal Data for

Up to 12 years from account closure.

Business/Charity Saver: Just heard about Charity Bank

Named individual at an organisation which we think will be interested in opening a savings account

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Details kept on file for 18 months, if no response. Records of Data Subject objections or requests for restrictions to be placed on processing kept indefinitely. If application made, then until the application is accepted (then “current customer”).

Business/Charity Saver: Interested in opening an account

Named contact at organisation interested in a savings account

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing

Legitimate Interests (to respond to your enquiry; to send you information about our organisation, our products and services; to invite you to relevant events; to open your account)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Until account opening (then “current customer”). No more than 6 months from decision not to proceed.

Data Sharing

For more information about the application process and third parties involved in that process, please click here.

Business/Charity Saver: Active customer

Named contact at organisation with active savings account(s)

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing
  1. Contractual obligation
    (to run and monitor your account)
    and
  2. Legitimate Interests
    (to send you information about our other products and services; to invite you to relevant events; to keep business records relating to your account)
Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Until account closed (then “previous customer”)

Business/Charity Saver: No longer a customer

Named contact at organisation with closed savings account(s)

Type of Personal Data we would typically hold

Name, address, job title (as at closure of account)

Lawful Basis for Processing

Legitimate Interests (to maintain an audit trail; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Up to 2 years from account closure.

Borrower: Just heard about Charity Bank

Named contact at organisations which we think will be interested in opening a loan account

Type of Personal Data we would typically hold

Name, address, email address, phone number, selection criteria

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Details kept on file for 18 months, if no response.

Records of Data Subject objections or requests for restrictions to be placed on processing kept indefinitely.

If application made, then until the application is accepted (then “current customer”).

Borrower: Interested in opening an account

Named contact at organisation interested in a loan account

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing

Legitimate Interests (to respond to your enquiry; to send you information about our organisation, our products and services; to invite you to relevant events; to open your account)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Until account opening (then “current customer”). No more than 6 months from decision not to proceed.

Data Sharing

For more information about the application process and third parties involved in that process, please click here.

Borrower: Active customer

Named contact at organisation with active loan account(s)

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing
  1. Contractual obligation
    (to run and monitor your account)
    and
  2. Legitimate Interests
    (to send you information about our other products and services; to invite you to relevant events; to keep business records relating to your account)
Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Until account closed (then “previous customer”)

Borrower: No longer a customer

Named contact at organisation with closed loan account(s)

Type of Personal Data we would typically hold

Name, address, job title (as at closure of account)

Lawful Basis for Processing

Legitimate Interests (to maintain an audit trail; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

Up to 12 years from account closure.

Other Business Contact: Investor

Individual loan-note holders and named contacts at organisations which have invested in us through loan-notes or shares

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

For as long as it remains relevant to Charity Bank, but no more than 6 years from the ending of the business relationship. Details other than name, address and job title will be deleted upon the ending of the business relationship.

Other Business Contact: Introducer

Named contact at third-party organisation which refers business to us

Type of Personal Data we would typically hold

Name, address, email address, phone number, evidence of relevant professional qualifications or accreditation, job title

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

For as long as it remains relevant to Charity Bank, but no more than 6 years from the ending of the business relationship. Details other than name, address and job title will be deleted upon the ending of the business relationship.

Other Business Contact: Advisor

Named contact at third-party organisation which provides us with advice

Type of Personal Data we would typically hold

Name, address, email address, phone number, evidence of relevant professional qualifications or accreditation, job title

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

For as long as it remains relevant to Charity Bank, but no more than 6 years from the ending of the business relationship. Details other than name, address and job title will be deleted upon the ending of the business relationship.

Other Business Contact: Sector contact

Named contact at third-party organisation working in or with the charity and social sectors

Type of Personal Data we would typically hold

Name, address, email address, phone number, job title

Lawful Basis for Processing

Legitimate Interests (to develop the commercial relationship; to send you information about our organisation, our products and services; to invite you to relevant events)

Your Privacy Rights

Access
Correction/Rectification
Deletion
Object to/Restrict processing
Right to portability - Not applicable

How long we would usually keep your Personal Data for

For as long as it remains relevant to Charity Bank, but no more than 6 years from the ending of the business relationship. Details other than name, address and job title will be deleted upon the ending of the business relationship

Your Privacy Rights

Right to be informed

Under the GDPR you are entitled to receive certain information about how organisations use your personal data. This Privacy Notice complies with the legal requirements and will be updated from time to time to reflect best practice, as further guidance and case-notes are published.

Right of access

In addition to your right to be informed so that you know what data we are processing and why, you have the right to request access to the personal data we hold on our systems, so that you can verify that we are processing your data lawfully. If you make a request, you will need to provide evidence of your identity, so we know that we are releasing the data to the right person. Requests should be submitted to the Data Protection Lead. Once you have submitted your request and provided evidence of your identity we will contact you to confirm that we are processing your request and to explain the next steps. We will usually supply you with the data within one month of the date of your request. If we need more time, we will let you know. Please remember that you are only entitled to request a copy of your personal data from us in order to check that we are processing your data lawfully. If we feel that your request has been made for other reasons, we may be entitled to refuse to supply a copy of the data to you. If we do refuse your request, we will let you know why and we will remind you of your right to complain to the Information Commissioner’s Office (ICO) about our decision.

Right to rectification

Under the GDPR you have the right to ask us to correct any personal data we hold, if it is inaccurate or incomplete. For example, you may be moving to a new house and so you know that your contact details will no longer be correct from a certain date. If we receive a request from you to update our records, we will let you know when we have made the changes (usually within one month of the request). We will also let you know the identity of any third parties with whom we routinely share that data, so that you can contact them to ensure their records are up to date as well.

Right to erasure

This is the formal name for the “right to be forgotten” which you may have read about in the press. This informal name is not quite correct. The GDPR does not provide you with an absolute right to be “forgotten” because there are some overriding reasons which permit organisations to keep personal data (including the making of or defending of legal claims). You do have the right, however, to request that we delete personal data where there is no compelling reason for us to continue to process that data. As a matter of best practice, we routinely review our records and will not keep personal data beyond any stated Retention Period without a valid reason nor will we continue to process your data when you have asked us not to (unless we have to continue to process your data due to a legal obligation we are under or in order to fulfil a contract with you which you have not terminated, in which case we will make you aware that this is so). For this reason, we think that it would be in very exceptional circumstances that you would wish to exercise this right of erasure. If you wish to submit a request for us to delete personal data, then please contact our Data Protection Lead. We will consider your request in light of all relevant information available to us at that time and respond accordingly. If we agree that your data should be deleted, then we will also notify any third parties to whom we have disclosed your data that you have requested the data is to be deleted, so that they can take steps to erase copies or links to that data.

Right to restrict processing

Under the GDPR you have the right to restrict the processing of your personal data. This will be of particular relevance to you in a situation where you are content for us to store your data but not to continue to process it. For example, if you have closed your account with us you may not wish us to continue to use your personal data, but you may wish us to keep a record of the dates between which you held a savings account with us (to inform your tax planning and reporting). At times, we will be required to restrict processing on a temporary basis to protect your interests, for example, whilst we are considering a request from you to delete personal data. If a restriction is in place, then we will confirm relevant details of the restriction to any third parties to whom we have disclosed your data. We will also keep you informed, so that you know whenever a restriction is in place or has been lifted.

Right to data portability

If you have provided us with personal data directly and we are processing that on the grounds of “consent” or “contractual performance”, then you have the right to ask us to move, copy or transfer personal data from our IT systems to those of another provider free of charge and in a safe and secure way without prejudicing the usability of the data.

Right to object

If we are processing your data on the grounds of legitimate interests, you have the right to object to our processing of your personal data but only where we cannot demonstrate a genuine business reason for that processing (such as we need to process your data to operate your account or to bring or defend a legal claim). You do have an absolute right to object to receiving information directed specifically to you, as an individual, about our organisation and those of its products and services which you do not already have, as this falls within the definition of “direct marketing”. If you are only receiving information about our organisation, products and services because you are an employee of an organisation which we think will be interested in our products and services then you will not be able to object to our processing your data, as this is not “direct marketing”, but you will be able to opt-out of receiving information about our organisation, products and services by contacting our communications team or by using the “unsubscribe link” at the bottom of our emails.

Rights related to automated decision making, including profiling

The GDPR introduces two new concepts. First, “automated decision-making” (making a decision solely by automated means without any human involvement). We do not carry out any automated decision-making. Although we do use a third-party automated service to help us to assess whether or not an individual is eligible to open a savings account with us or for the purposes of verifying the identity of a trustee/director/manager of a potential corporate saver, we will not base our decision solely on the basis of the third-party automated service. Second, “profiling” (automated processing of personal data to evaluate certain things about an individual). Again, we do not carry out any automated profiling. We may, for example, carry out research using information in the public domain to ascertain the likelihood of you being interested in our organisation, products or services, but this process will always involve the exercise of human judgment.

Retention Period

We are required to retain a record of your personal data even after we have stopped processing your data. The period of time for which we retain that record is known as the “Retention Period”. We have given an indication of the standard Retention Period for different situations in this Privacy Notice. If you have a specific query which is not addressed in this Privacy Notice you should contact our Data Protection Lead.

How we use your information

How we collect information about individuals

We collect personal data through a variety of methods, including through our website, application forms, postal or email communications, during meetings, at events, over the telephone, from publicly available sources and from selected third parties. 

Whenever we collect information about you, we will tell you how your information will be used. This may be in the application form itself or as part of our conversation with you. If you would like to send information to us by email, please remember that email is not absolutely secure so we advise you to keep personal information to a minimum to reduce the risk of fraud. 

Whenever we collect personal data from publicly available sources in order to find your contact details, we will confirm to you the source of that data in our initial communication with you. The sources of information we typically use are: the Companies House website, the Charity Commission website, an organisation’s own website and, where relevant, an individual’s “public” profile on LinkedIn (i.e., information which is available to view without being one of your “connections”).

Involving third parties in the collection or processing of personal data

From time to time we may involve a third party in the collection or processing of personal data. Where we regularly involve a third party in the processing of personal data, full details are set out in this Privacy Notice.

We only work with third parties which meet our stringent procurement criteria. Under these criteria we review not only their ability to provide the goods or services we require but also their general ethos (commitment to the charity/social sector) and working practices. 

Before we work with a third party on a new project involving the processing of personal data, we will carry out a Data Protection Impact Assessment. 

We will also ensure that the terms of the contract with any third-party data processor meet the legal requirements imposed by the GDPR (by specifying the processing which will take place and setting out the standards which the processor must meet when processing personal data on our behalf and the permissions it needs from us in relation to the processing), that the third party only processes data in accordance with our written instructions, that the third party is aware of and will comply with its duties and obligations under current data protection legislation and that we have the right to audit their processes and records.

On occasion, we will be required to share your personal data with third parties for regulatory and audit purposes. We will only share the minimum amount of detail required for the purpose and will anonymise records where we can. These third parties are subject to duties of confidentiality and they will not be permitted to share your data outside their own organisation other than in exceptional circumstances, such as where there is an overriding public interest, including the prevention or detection of crime. Details of our current auditors are listed in our Annual Accounts - currently Deloitte and KPMG - and our regulators are the Prudential Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office. We also send information to the Department for Business, Energy & Industrial Strategy, to enable us to maintain our licence to offer Community Investment Tax Relief to eligible depositors/investors. You may click on the hyperlinks given in this paragraph to be directed straight to their privacy notices.

How we protect your personal data

We take all reasonable steps to protect your personal data through technological means and internal processes. All personal data we receive is stored either electronically or in paper format in our internal systems which are secure and cannot be accessed by external parties without our authorisation. We do not give out personal information on the telephone or by email unless you have requested that we do so and we have verified that it is you making the request. We regularly back-up the data which we hold and ensure that these back-ups are subject to an equivalent level of technological and organisational safeguards as the original data. We regularly test the resilience of our systems and make adjustments as required.

As you would expect, some of our IT suppliers are large international companies, but as they are processing the Personal Data of EU citizens, they are required to adhere to the requirements of the GDPR. You may request further information about our IT systems and approach to information security (including a list of our third-party suppliers) by contacting our DP Lead.

We will only give authorisation to third parties to access our systems where they are providing a service to us under a written contract which includes terms requiring them to protect your data. These services may include: internal/external audit, IT consultancy (software/hardware) or IT advisory services (user support). We ask all our IT suppliers to go through a rigorous procurement exercise to ensure they meet our requirements in terms of protecting your data. As you would expect, our ability to negotiate contractual terms with larger companies may be extremely limited. In this situation we will take all reasonable steps to protect your data.

We limit the processing of data outside the European Economic Area (EEA). For a current list of countries in the EEA, please see the list here. All our own IT systems and back-up systems rely on data-centres located within the European Union (EU) (a smaller set of countries than the EEA). Where we use the services of a third party which requires the transmission or handling of personal data outside the EU we will notify you, by including the relevant details within this Privacy Notice. Whilst the GDPR has effect on all organisations (wherever they are located) which process the personal data of EU citizens, we do take steps to ensure, through due diligence and contractual terms, that the third-party supplier is committed to a high standard of data protection compliance.

For more detail about how we use your information in different situations, please refer to the sections below, choosing the section which corresponds to your contact with us:

Visting our website

Links to other websites

Please note that certain hypertext links in this website may lead you to websites which are not under the control of Charity Bank. When you activate these, you may leave the Charity Bank website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Charity Bank.

Charity Bank accepts no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. Charity Bank accepts no responsibility or liability for any loss arising from any contract entered into with any website to which a hypertext link exists.

Analysis

When someone visits www.charitybank.org, or uses our online savings application process we use a third-party service, Google Analytics & Google Tag Manager to collect standard internet log information and details of visitor-behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information (other than through your IP address which we cannot link to you individually) our website, we will tell you this. We will make it clear when we collect personal information and will explain what we intend to do with it. In this case, the lawful basis for processing of this information is “legitimate interests”.


We use a third-party provider, Full Story, a company based in the US, to provide us with details on your experience using the website. We gather anonymous session videos to improve our website and fix any issues that are encountered.

To adjust Full Story’s cookie access please visit our cookie policy for further details.

To request deletion please email gdpr@charitybank.org

For more information, please see Full Story’s privacy policy. Full Story is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.


Website Publication

We use a third-party service, No Divide Studios Ltd, to publish our website. The website is hosted by Krystal Hosting at www.charitybank.org. We use a standard Google Analytics & Google Tag Manager service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. For more information about how Krystal Hosting processes data, please see its privacy notice.

We use a third-party provider, Imgix, a company based in the US, to provide you with the highest quality images for the device that you access our website on. Users that provided us with consent to use their images are uploaded for hosting and processing by the Content Delivery Network (CDN).

For more information, please see Imgix’s privacy policy. Imgix is not yet registered with the EU-US Privacy Shield Framework, but has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.

Search engine advertising

Please note that Charity Bank advertises via search engines including Google and Bing that may lead you to our website. When you visit us from these adverts, search engines collect limited data to provide you with further internet-based advertisements related to your search interest.

To adjust your ad settings with the search engines we use, visit Bing privacy dashboard and Google help pages.

Browsing our website

Charity Bank uses Salesforce Pardot to collect enquiries through website contact forms and to provide users with relevant content based on the interactions made on the website. Our CRM system provided by Salesforce stores your data securely, for more details see Salesforce’s privacy notice.

This information is used to maintain an accurate record of your details including contact preferences and the services (if any) you engage Charity Bank with.

We use a third-party providers service, Google Optimize, a company based in the US, to test various versions of our website to identify which performs best for our users. Google shares insights from Google Optimize with other Google products including Google Analytics and Google Tag Manager.

To opt out of Google Optimize, please visit our cookie policy for further details.

For more information, please see Google privacy policy. Google is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.

Search engine

Our search facility on the Blog section of our website enables us to review search queries and results, these are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either Charity Bank or any third party.

Security and performance

Charity Bank uses a third-party service provider to help maintain the security and performance of our website. To deliver this service the provider processes the IP addresses of visitors to the website. This company is a “data processor” for Charity Bank and only processes personal information in line with our instructions.

Use of cookies by Charity Bank

At Charity Bank, we use cookies on our website as follows:

  • First party cookies: to promote our “legitimate interests”, either to analyse how users interact with our website (so that we can make improvements) or to provide users with a service they have requested through the website (e.g., to enable the user to submit an application form for a new savings account).
  • Third-party cookies: we only permit third parties to place cookies on our website where the user has consented to this through the consent management platform provided by Quantcast. To manage your preferences in relation to third party cookies please use the Quantcast tool which will pop up when you visit our website (at thirty day intervals). When you visit the Charity Bank website you will be asked whether or not you agree to us tracking your activity as you use our website. By “tracking your activity” we will be able to better tailor our content for you and you will receive more tailored search results/advertising once you leave our website. If you do not agree to us tracking your activity, we will not collect any information about your visit other than the information we need to process any requests you may make through the website (e.g., to apply for a savings account or to subscribe for our emails). If you do agree, then our partner, Quantcast, a limited company based in Dublin, Ireland, will store this preference in a framework cookie which other websites will be able to “read” in order to adapt their content accordingly. This cookie would usually expire after 13 months. You can find out more about Quantcast’s Privacy Policy here:  https://www.quantcast.com/en-uk/privacy/ and the technical framework here: https://help.quantcast.com/hc/en-us/articles/360003814853-Technical-Implementation-Guide.

For more information about how we use cookies, please see our cookie policy.

Subscribing to our e-newsletter

We are currently using a third-party provider, Constant Contact, a company based in the US, to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.

For more information, please see Constant Contact’s privacy policy. Constant Contact is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.

Participating in Customer Surveys / Voting

We collect information volunteered by our customers using an online survey tool hosted by Survey Monkey. This company is a data processor for Charity Bank and only processes personal information in line with our instructions. We will only use the information provided for the purposes specified in the survey, usually to help us to monitor, review, report on and improve our customer service. Whenever we share the results of the survey with our investors or members of the public, we will use the information only in ways that will not identify any individual.

For more information, please see Survey Monkey’s privacy policy. Whilst the services are provided to Charity Bank by Survey Monkey Europe, the parent company is based in the US. This parent company is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard as is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.

Providing Case-Studies/taking part in interviews

From time to time we will engage freelance writers to produce content for our website, particularly within the Blog section. These individuals may carry out face-to-face or telephone interviews with specific Charity Bank contacts (including customers, employees and individuals employed by businesses working with Charity Bank) for the purposes of creating content for the website. We will always seek your consent before we arrange for an interview to take place and there is no obligation to accept our invitation. Once you have agreed to take part in an interview, we may share your contact details with the relevant freelance writer for the sole purpose of contacting you to arrange and carry out the interview.

Attending our Events

From time to time, we will host networking or learning and development events for our customers and contacts. Most often these take the form of webinars, but we do hold an annual Impact Award ceremony where we invite our savers and borrowers to meet each other so that our savers can see how we have used the money they have deposited with us, and our borrowers can meet some of our savers face-to-face. Together with our business contacts and our company personnel, our savers and borrowers can together celebrate the achievements of some of the charities and social enterprises who have borrowed funds from us in the previous year. We will usually invite a keynote speaker from the sector to say a few words.

We would usually engage a photographer or videographer to take images of the Impact Awards ceremony for us to use in our promotional material. If we are going to do this, we will let you know within our invitation to you and you will have the opportunity to choose on the day whether or not you are filmed.

On the day, all attendees will be asked by one of our employees whether or not they are willing to be filmed. We will keep a note of your decision for our own records, usually within the attendance register, and will proceed as follows:

  • if you decide on the day of the event that you would not like to be filmed, you will be given a sticker and shown to an area of the venue which we have marked out as a non-filming zone; or
  • if you decide on the day that you are content to be filmed, you agree that we may use your image and any associated audio recordings in our promotional material (including within direct marketing campaigns, on our website, in promotional literature and on our social media channels) for a period of up to five years from the date of the event and that we may store and use your image in line with legislative requirements current as at the date of the event.

We use the services of Eventbrite to send electronic invitations and manage attendance lists for many of our events. We input contact details into the platform in order to send out invitations and to track responses. Eventbrite, Inc is a U.S. company but is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard as is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.

2018 Follow the Money campaign visits

As part of our 2018 Follow the Money campaign visits, you may be invited to be filmed (still images and/or audio-visual footage). We will use the footage in our promotional material, both campaign-specific and general. If you decide on the day that you would not like to be filmed, you should make your wishes clear to the photographer who will make sure that you are not included. If you are content to be filmed, then you should ask the photographer for a consent form, read this through carefully and sign and return it to the photographer. On some occasions we will have sent the consent forms out in advance. We would encourage parents/guardians to talk through the consent form with the relevant child(ren) to make them aware of the permission being given on their behalf and how to withdraw their consent.

Images will be securely dispatched using the Huddle file sharing platform. Huddle is the trade name of UK-based company Ninian Solutions Ltd. You can view Huddle’s privacy policy here: https://www.huddle.com/privacy/.

Permission form for adults and young people aged 13 or over

These forms will set out the purposes for which we (and any named third parties) may use the footage, the period for using the footage, how footage will be stored.

If you have any queries or wish to withdraw your consent, please email marketing@charitybank.org.

Permission forms signed by parent/guardian on behalf of child(ren) under 13

These forms will set out the purposes for which we (and any named third parties) may use the footage, the period for using the footage and how footage will be stored.

We will not publish any names (including first names only) alongside the images unless we have specific permission to do so. If you have any queries or wish to withdraw your consent, please email marketing@charitybank.org.



Contacting us via social media

If you send us a private or direct message via social media, this will remain on the relevant platform in accordance with the terms and conditions of that platform.

Applying for an account

Applying for a Savings Account with us

You are now able to apply for certain personal and business savings accounts through our online platform. This is provided under licence from Sandstone Technology (Europe) Limited (a company incorporated in England & Wales which is a wholly owned subsidiary of Sandstone Technology Pty Ltd, an Australian company). Even though the parent company is based in Australia, as it may be involved in the processing of data of our customers who are EU citizens, it is legally obliged to comply with the requirements of the GDPR. You can view the parent company’s privacy policy here: Privacy Policy of Sandstone Technology Pty Ltd. You can also find out more about Australian privacy laws and how they compare with the requirements of the GDPR here: Australian Privacy laws compared to the GDPR. Our contract is with Sandstone Technology (Europe) Limited and we would not expect this company to routinely access your personal data. We have ensured, through our contractual terms with Sandstone Technology (Europe) Limited that on the rare occasion where we are required to share personal data in order for the company to provide us with effective support services, the processing is only carried out in the UK on Charity Bank premises using Charity Bank systems under the supervision of Charity Bank staff.

If you use our online savings application process, you should be aware that we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor-behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information (other than through your IP address which we cannot link to you individually) our website, we will tell you this. We will make it clear when we collect personal information and will explain what we intend to do with it. In this case, the lawful basis for processing of this information is “legitimate interests”.

Other applications can be made by completing a paper form and posting it to us. We process the data received from the online platform and from the paper applications in the same way.

Initial credit checks for all new personal savers and for trustees/directors/senior managers at new business savers, are undertaken by CallCredit Limited (a company incorporated in England & Wales which is a wholly owned subsidiary of the company CallCredit Information Group Ltd), also incorporated in England & Wales. The purpose of the contract with CallCredit Limited is to help Charity Bank to identify and prevent the risk of fraud by (i) verifying an individual’s identity and (ii) checking the validity of sort-codes, account numbers and credit/debit card numbers. The contract requires both parties to adhere to the requirements of the DPA and has recently been amended to incorporate all the relevant GDPR requirements. The service to which we subscribe is described more fully in this web-page: CallValidate. The Privacy Policy published by the parent company, Information Group Limited, can be found here: General-privacy-policy from Callcredit Information Group Limited. Whilst these initial checks are, for the most part, automated, we will never make a credit decision based solely on information provided by an automated service. We supplement these initial credit checks with further manual processes.

Small Steps - existing accounts only

As with many banks, we offer a savings account for those under the age of 16. We are not accepting new applications for this account.

Our contractual relationship is with the adult who opens and runs this account on behalf of the child. The account is in the name of the child and the money in the account belongs to the child. The adult will open, run and close the account on the child’s behalf and must manage the account in the child’s best interests. The adult must be aged 18 or over and otherwise meet our requirements for opening this type of account. A child may only have one account with Charity Bank. Once the child reaches the age of 16, in the absence of alternative instructions from the adult managing the account, we will transfer the balance on the account to a standard 33-day notice savings account.

We will only process the personal data of a child to the extent that it is strictly necessary for us to run their account. This will typically be limited to the child’s name and date of birth since all correspondence will be sent to the adult’s address.

As a matter of policy, we do not send direct marketing material to those under the age of 18.

Applying for a Charity Bank Loan

We provide loans to charities, charitable organisations, social enterprises and private companies limited by shares with worthwhile social impacts. We will process the personal data of trustees/directors/senior managers only to the extent necessary to make a decision on whether or not to lend to the organisation, to monitor its continuing credit quality or to decide on our actions if the borrower suffers financial stress, and to provide the primary contact with our e-newsletter.

We may, with the prior permission of the relevant individual within a borrower or potential borrower’s organisation, share that individual’s contact details and job titles with third parties such as solicitors, valuers and surveyors, but this will be for the sole purpose of contacting that individual so that they can provide services to the organisation directly. Once initial contact has been made with the relevant individual, those service providers will become responsible for their own processing of the personal data of those nominated contacts.

Receiving information about Charity Bank

Any information which we send to an individual by email or post or which we provide to them over the telephone, which promotes our organisation or its products and/or services to that individual with the specific intention of securing (further) business from them falls within the definition of “direct marketing” as set the ICO. We never make automated calls or send “direct marketing” material by fax.

We may send Direct Marketing material to an individual without them requesting this (unsolicited) or we may send “direct marketing” material to an individual in response to a request (solicited) or because it relates to a product or service which is similar to one which the individual already has (related). The rules for these three types of marketing are different.

Before we send out unsolicited “direct marketing” by post, we will check that you have not registered with a preference service or previously asked us not to send you this type of information by post. If we do send you unsolicited “direct marketing” by post, we will let you know how we obtained your contact details and we will let you know how to stop receiving similar information from us in the future.

We will never send unsolicited “direct marketing” material by email unless you have told us in advance that you are content for us to do so. If that is the case, we will keep and maintain a record of any consent you have given and what it covers. We will also include an “unsubscribe” link in every email communication we send to you which does not directly relate to your account or business relationship with us.

If you have asked us to send you more information about our organisation, products and services we will do so and may send this to you by email, post or by telephone, whichever we deem to be the most appropriate method (unless you have clearly stated that you do not wish to be contacted in a particular way).

On occasions, we may write to you (by post or email) or phone you about a product or service which we think may be of interest to you and which is similar to one you currently have or have had in the past. For example, if you have a 1-year savings account with us which is due to reach maturity, we will contact you to find out what you would like to do and this may include providing you with information about another savings account into which you may wish to transfer your funds upon maturity. We do not need your specific consent to send you that information, as it is not unreasonable for us to expect that you would want to receive that information at that point in time and we already have your contact details.

At times, we will follow-up postal marketing campaigns with a phone-call. Again, we will have carried out checks to ensure that you have not registered with a preference service or requested that we do not contact you in this way for marketing purposes. We will also check whether or not you are content to receive similar calls in the future. We will monitor the number of calls we make to ensure that we do not contact you too frequently.

Where we send information to an individual in their capacity as an employee in a particular role at a particular organisation, we are sending that information to the organisation, not the individual. We know that in charities and social enterprises (as opposed to sole traders), decisions are not usually made by one person. For this reason, the rules relating to “business to business direct marketing” are slightly different. If we think that your employing organisation may be interested in receiving information about our organisation and its products and services, we will write to you with relevant details, but we will let you know how we found your contact details and we will give you the opportunity to decline to receive information about us in the future. We will not, however, contact you with direct marketing about our personal savings accounts, as that would be marketing to you outside your role as a contact for your organisation.

We do not classify invitations to our Annual Impact Awards as “direct marketing” as this event is primarily an opportunity for company personnel, savers, borrowers and other business contacts to meet together to celebrate the way in which Charity Bank uses savers’ money to support charities and social enterprises and to acknowledge the great work that some of our borrowers are achieving. For this reason, we will send invitations to our personnel, current and past customers and current business contacts as a matter of course. We may send invitations by email or by post, as we deem most appropriate, although we will take into account any clearly stated preferences and will usually send invitations by post to individuals who have unsubscribed from our e-newsletter.

Invitations to other events may, on occasions, be considered direct marketing but, again, only if there is a clear intention to secure (further) business from a named individual. We will usually promote these via our website or social media, rather than inviting an individual specifically. If you do receive an invitation from us, this will usually be in response to a request from you for more information about our organisation, products or services, although we may have identified you from our own research as someone who would be interested in receiving an invitation.

Submitting a Data Protection query

To make a request to Charity Bank for any personal information we may hold, you need to put the request in writing addressing it to our Data Protection Lead at Fosse House, 182 High Street, Tonbridge, Kent, TN9 1BE. Other queries can be sent by email to GDPR@charitybank.org.

When you submit a data protection query we will deal with this as quickly as we can and, where applicable, within any relevant statutory timeframes. Please provide as much detail in your request as possible. Please also read this Privacy Notice in full before submitting your query as you may find that the response you are seeking is contained in this document.

Charity Bank tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making an “access request”. Please provide evidence of your identity with your request, so that we can make sure that we are responding to the individual about whom the personal data relates.

If we do hold information about you, and we are able to verify your identity, we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can also ask us to correct any mistakes by contacting our Data Protection Lead.

Making a complaint

Charity Bank tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you want to make a complaint about the way we have processed your personal information, you can contact the Data Protection Lead at the address given above. Please provide as much detail as possible to help us to review your concerns.

When you submit a data protection complaint we will deal with this as quickly as we can and, in any event, within relevant statutory timeframes. Please remember that we will be able to respond more quickly if you provide evidence of identity with your query as we cannot provide our response until we are sure we are releasing it to the right person.

When we receive a complaint from a person, we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and share statistics showing information like the number of complaints we receive with our regulators, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. But it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for a maximum of six years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Right to complain to the Information Commissioner’s Office

If have a concern about the way in which we are Processing your Personal Data and we have not been able to resolve that concern directly with you, you may complain to the Information Commissioner’s Office (ICO). You may call the helpline on 0303 123 1113. Further details about how to submit a report to the ICO can be found here.

Formats

If you would like to receive a copy of this Privacy Notice in a more accessible format, for example, in Braille or large-print or audio format, please contact GDPR@charitybank.org.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 4th September 2018.

Sign up to our e-newsletter

Reasons to register

Read inspiring case studies, thought provoking blogs and our latest news, events and offers.

Your information & our promise

We will always treat your personal details with the utmost care and will never sell them. All emails include an unsubscribe link, so you may opt-out at any time.

View our privacy policy