May 2021 update, version 16.
Effective 08 August 2022
Effective 13 May 2022
Charity Bank is registered with the Information Commissioner’s Office (ICO) as a Data Controller. Our registration number is Z6540626 and you can find details of our registration here. We review and update our register entry every year.
If you have any queries relating to Charity Bank’s registration as a data controller and/or its use of your personal data, you should contact our Data Protection Lead at [email protected] or Data Protection, Fosse House, 182 High Street, Tonbridge, Kent, TN9 1BE.
In this privacy notice, we use some new technical terms which are defined in the General Data Protection Regulation (GDPR) and related legislation. To help you to better understand this Privacy Notice, and your rights in relation to how we process your personal information, we have summarised the meanings of these terms and their relevance to you in the sections below:
Criminal Offence Data
Criminal Offence Data is a type of personal data which is subject to additional controls, given that the impact of any unlawful processing of this data on an individual could be particularly significant. Charity Bank will only process Criminal Offence Data in relation to our employees and those individuals otherwise providing services to Charity Bank (such as our Directors) and will only do so if the role they are performing for Charity Bank is regulated or is one which requires Charity Bank to have specific reassurance that the individual is suitable for the role. For this reason, the processing of Criminal Offence data is not covered in this Privacy Notice.
Vital Interests
We are very unlikely in the ordinary course of business to process any data in order to protect your vital interests or the vital interests of another individual. If we found ourselves in the position of having to share personal data about you with the emergency services in order to protect you from an imminent threat to your life, we would do so and you would not have the right to object to us doing so. It is highly unlikely, however, that we will hold personal data which would be of use to the emergency services and which they could not find out from a more appropriate source (such as your doctor/ medical professional or next of kin.
Legitimate Interests
We are legally permitted to process your data when we need to do so to promote our “legitimate interests”, provided that there is no overriding duty to protect the rights of the individual. This is the most common “lawful basis for processing” as it ensures that we can continue to process data to the extent we need to do so to run our business effectively, provided that we respect your rights and manage your personal data in a responsible manner. Examples of “legitimate interests” specifically mentioned in the GDPR include: (i) use of customer and employee data, (ii) marketing, (iii) fraud/crime prevention and (iv) IT security. Before we rely upon this lawful basis for processing, we will carry out an impact assessment to ensure that our intended processing is proportionate and that we respect your rights and interests. This will be particularly important where we intend to process the personal data of someone under the age of 18 or someone who is particularly vulnerable or where the personal data is of a sensitive or private nature. If we rely upon “legitimate interests” as our lawful basis for processing your personal data then you can still object to that processing and you can ask us to delete your data. You will not have the legal right, however, to ask us to transfer that data to another provider.
Legal Obligation
We are legally permitted to process your data when we need to do so in order to comply with a legal obligation to which we are subject (this does not include contractual obligations which is a separate basis for processing). We do not need to have your consent to carry out this processing and you do not have the right to object. You do not have the right to request that we delete the personal data we hold; nor do you have the right to request that we transfer that data to another provider. This is because we do not have a choice as to whether or not we process your data but are required to do so to in order to comply with our own legal obligations.
Contractual Performance
We are legally permitted to process your data when we need to do so in order to fulfil our contractual obligations to you or when you have asked us to do something before entering into a contract with us. We do not need to have your consent to carry out this processing and you do not have the right to object. You may request that we delete any personal data which we hold which you think that we don’t need, but please bear in mind that we will be legally entitled to continue to process your personal data to the extent we need to do so in order to fulfil our contractual obligations to you. If you wish us to stop processing that data altogether, you will have to terminate your contract with us in accordance with its terms. You may request that we transfer your personal data to another provider and we will be obliged to do so; but we may need to continue to process your personal data for a period of time to ensure a smooth transition to the new provider. We will retain a record of your personal data beyond the expiry of the contract to ensure that we have an accurate audit trail which meets our legal and regulatory obligations. This Privacy Notice sets out the maximum retention period for different types of personal data collected at different stages of the customer journey.
Consent
We are legally permitted to process your data where you have agreed that we may do so. By law, your agreement must be freely given, specific, informed and unambiguous. We are required to keep a record of how you have communicated your consent to us. Our records may include copy correspondence (including emails), file notes, completed forms or entries within our IT systems. You are free to withdraw your consent at any time and can do so by contacting our Data Protection Lead. You also have the right under the GDPR to request that we erase any personal data which we have been processing with your consent or that we transfer that data to a third party you have nominated. It is important for you to remember that consent is not required for all the processing we carry out.
Lawful Basis for Processing
Under the GDPR, organisations are required to have a legal reason to process the personal data they collect in different situations and to notify individuals of that reason. You should understand the different reasons for the processing of your data in different situations because the lawful basis for the processing affects the legal rights you have (in terms of asking Charity Bank to change the way we process your personal data). This Privacy Notice states the lawful basis for the processing in each of the different situations contained within the document. If you are unclear at any time as to which lawful basis for processing applies to the processing of your data at any particular time, you should contact our Data Protection Lead with a request for clarification.
In summary, we routinely collect the following personal data in relation to our customers and business contacts:
On occasions, we may collect and process additional personal data but this will only be where this is relevant to our relationship with you, and we will explain clearly in our correspondence with you why we are requesting that data, how it will be used and for how long we will keep it.
As you would expect, we collect and process more personal data in relation to our own personnel (including applicants), but this is not within the scope of this Privacy Notice.
Please click on the relevant section below:
Other Business Contact: Supplier contact
Named contact at third-party organisation which supplies goods and/or services to Charity Bank
Type of personal data we would typically hold:
Lawful Basis of Processing:
Your Privacy Rights:
How long we would usually keep your personal data for:
Other Business Contact: Sector contact
Named contact at third-party organisation working in or with the charity and social sectors
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Other Business Contact: Advisor
Named contact at third-party organisation which provides us with advice
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Other Business Contact: Introducer
Named contact at third-party organisation which refers business to us
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Other Business Contact: Investor
Individual loan-note holders and named contacts at organisations which have invested in us through loan-notes or shares
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Borrower: No longer a customer
Named contact at organisation with closed loan account(s)
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Borrower: Active customer
Named contact at organisation with active loan account(s)
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Borrower: Interested in opening an account
Named contact at organisation interested in a loan account
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Data Sharing:
Borrower: Just heard about Charity Bank
Named contact at organisations which we think will be interested in opening a loan account
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Business/Charity Saver: No longer a customer
Named contact at organisation with closed savings account(s)
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Business/Charity Saver: Active customer
Named contact at organisation with active savings account(s)
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Business/Charity Saver: Interested in opening an account
Named contact at organisation interested in a savings account
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Data Sharing:
Business/Charity Saver: Just heard about Charity Bank
Named individual at an organisation which we think will be interested in opening a savings account
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Personal Saver: No longer a customer
Individual with closed personal savings account
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Personal Saver: Active customer
Individual with active savings account(s)
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Personal Saver: Interested in opening an account
Individual interested in personal savings accounts
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Data Sharing:
Personal Saver: Just heard about Charity Bank
Individuals we think will be interested in savings accounts
Type of Personal Data we would typically hold:
Lawful Basis for Processing:
Your Privacy Rights:
How long we would usually keep your Personal Data for:
Data Sharing:
Retention Period
We are required to retain a record of your personal data even after we have stopped processing your data. The period of time for which we retain that record is known as the “Retention Period”. We have given an indication of the standard Retention Period for different situations in this Privacy Notice. If you have a specific query which is not addressed in this Privacy Notice you should contact our Data Protection Lead.
Rights related to automated decision making, including profiling
The GDPR introduces two new concepts. First, “automated decision-making” (making a decision solely by automated means without any human involvement). We do not carry out any automated decision-making. Although we do use a third-party automated service to help us to assess whether or not an individual is eligible to open a savings account with us or for the purposes of verifying the identity of a trustee/director/manager of a potential corporate saver, we will not base our decision solely on the basis of the third-party automated service. Second, “profiling” (automated processing of personal data to evaluate certain things about an individual). Again, we do not carry out any automated profiling. We may, for example, carry out research using information in the public domain to ascertain the likelihood of you being interested in our organisation, products or services, but this process will always involve the exercise of human judgment.
Right to object
If we are processing your data on the grounds of legitimate interests, you have the right to object to our processing of your personal data but only where we cannot demonstrate a genuine business reason for that processing (such as we need to process your data to operate your account or to bring or defend a legal claim). You do have an absolute right to object to receiving information directed specifically to you, as an individual, about our organisation and those of its products and services which you do not already have, as this falls within the definition of “direct marketing”. If you are only receiving information about our organisation, products and services because you are an employee of an organisation which we think will be interested in our products and services then you will not be able to object to our processing your data, as this is not “direct marketing”, but you will be able to opt-out of receiving information about our organisation, products and services by contacting our communications team or by using the “unsubscribe link” at the bottom of our emails.
Right to data portability
If you have provided us with personal data directly and we are processing that on the grounds of “consent” or “contractual performance”, then you have the right to ask us to move, copy or transfer personal data from our IT systems to those of another provider free of charge and in a safe and secure way without prejudicing the usability of the data.
Right to restrict processing
Under the GDPR you have the right to restrict the processing of your personal data. This will be of particular relevance to you in a situation where you are content for us to store your data but not to continue to process it. For example, if you have closed your account with us you may not wish us to continue to use your personal data, but you may wish us to keep a record of the dates between which you held a savings account with us (to inform your tax planning and reporting). At times, we will be required to restrict processing on a temporary basis to protect your interests, for example, whilst we are considering a request from you to delete personal data. If a restriction is in place, then we will confirm relevant details of the restriction to any third parties to whom we have disclosed your data. We will also keep you informed, so that you know whenever a restriction is in place or has been lifted.
Right to erasure
This is the formal name for the “right to be forgotten” which you may have read about in the press. This informal name is not quite correct. The GDPR does not provide you with an absolute right to be “forgotten” because there are some overriding reasons which permit organisations to keep personal data (including the making of or defending of legal claims). You do have the right, however, to request that we delete personal data where there is no compelling reason for us to continue to process that data. As a matter of best practice, we routinely review our records and will not keep personal data beyond any stated Retention Period without a valid reason nor will we continue to process your data when you have asked us not to (unless we have to continue to process your data due to a legal obligation we are under or in order to fulfil a contract with you which you have not terminated, in which case we will make you aware that this is so). For this reason, we think that it would be in very exceptional circumstances that you would wish to exercise this right of erasure. If you wish to submit a request for us to delete personal data, then please contact our Data Protection Lead. We will consider your request in light of all relevant information available to us at that time and respond accordingly. If we agree that your data should be deleted, then we will also notify any third parties to whom we have disclosed your data that you have requested the data is to be deleted, so that they can take steps to erase copies or links to that data.
Right to rectification
Under the GDPR you have the right to ask us to correct any personal data we hold, if it is inaccurate or incomplete. For example, you may be moving to a new house and so you know that your contact details will no longer be correct from a certain date. If we receive a request from you to update our records, we will let you know when we have made the changes (usually within one month of the request). We will also let you know the identity of any third parties with whom we routinely share that data, so that you can contact them to ensure their records are up to date as well.
Right of access
In addition to your right to be informed so that you know what data we are processing and why, you have the right to request access to the personal data we hold on our systems, so that you can verify that we are processing your data lawfully. If you make a request, you will need to provide evidence of your identity, so we know that we are releasing the data to the right person. Requests should be submitted to the Data Protection Lead. Once you have submitted your request and provided evidence of your identity we will contact you to confirm that we are processing your request and to explain the next steps. We will usually supply you with the data within one month of the date of your request. If we need more time, we will let you know. Please remember that you are only entitled to request a copy of your personal data from us in order to check that we are processing your data lawfully. If we feel that your request has been made for other reasons, we may be entitled to refuse to supply a copy of the data to you. If we do refuse your request, we will let you know why and we will remind you of your right to complain to the Information Commissioner’s Office (ICO) about our decision.
Right to be informed
Under the GDPR you are entitled to receive certain information about how organisations use your personal data. This Privacy Notice complies with the legal requirements and will be updated from time to time to reflect best practice, as further guidance and case-notes are published.
You can find out more by visiting the ICO’s Guide to the GDPR
Providing us with goods and/or services
From time to time we will contract with third party organisations for the provision of goods and/or services to Charity Bank. In order to manage and monitor that relationship effectively and to meet our contractual obligations we will process the personal data of individuals employed by (or associated with) those organisations. These details are stored within our internal systems. We are currently using an accounting software solution known as Sage 200 to store relevant supplier details, including personal data of individual contacts. We have written to Sage to restrict the processing of personal data which we input into this software solution to ensure that personal data is not being used by Sage for marketing purposes. Sage’s privacy notice can be viewed here: https://www.sage.com/en-gb/legal/privacy-and-cookies/
How we protect your personal data
We take all reasonable steps to protect your personal data through technological means and internal processes. All personal data we receive is stored either electronically or in paper format in our internal systems which are secure and cannot be accessed by external parties without our authorisation. We do not give out personal information on the telephone or by email unless you have requested that we do so and we have verified that it is you making the request. We regularly back-up the data which we hold and ensure that these back-ups are subject to an equivalent level of technological and organisational safeguards as the original data. We regularly test the resilience of our systems and make adjustments as required.
As you would expect, some of our IT suppliers are large international companies, but as they are processing the Personal Data of EU citizens, they are required to adhere to the requirements of the GDPR. You may request further information about our IT systems and approach to information security (including a list of our third-party suppliers) by contacting our DP Lead.
We will only give authorisation to third parties to access our systems where they are providing a service to us under a written contract which includes terms requiring them to protect your data. These services may include: internal/external audit, IT consultancy (software/hardware) or IT advisory services (user support). We ask all our IT suppliers to go through a rigorous procurement exercise to ensure they meet our requirements in terms of protecting your data. As you would expect, our ability to negotiate contractual terms with larger companies may be extremely limited. In this situation we will take all reasonable steps to protect your data.
We limit the processing of data outside the European Economic Area (EEA). For a current list of countries in the EEA, please see the list here. All our own IT systems and back-up systems rely on data-centres located within the European Union (EU) (a smaller set of countries than the EEA). Where we use the services of a third party which requires the transmission or handling of personal data outside the EU we will notify you, by including the relevant details within this Privacy Notice. Whilst the GDPR has effect on all organisations (wherever they are located) which process the personal data of EU citizens, we do take steps to ensure, through due diligence and contractual terms, that the third-party supplier is committed to a high standard of data protection compliance.
Involving third parties in the collection or processing of personal data
From time to time we may involve a third party in the collection or processing of personal data. Where we regularly involve a third party in the processing of personal data, full details are set out in this Privacy Notice.
We only work with third parties which meet our stringent procurement criteria. Under these criteria we review not only their ability to provide the goods or services we require but also their general ethos (commitment to the charity/social sector) and working practices.
Before we work with a third party on a new project involving the processing of personal data, we will carry out a Data Protection Impact Assessment.
We will also ensure that the terms of the contract with any third-party data processor meet the legal requirements imposed by the GDPR (by specifying the processing which will take place and setting out the standards which the processor must meet when processing personal data on our behalf and the permissions it needs from us in relation to the processing), that the third party only processes data in accordance with our written instructions, that the third party is aware of and will comply with its duties and obligations under current data protection legislation and that we have the right to audit their processes and records.
On occasion, we will be required to verify the validity of your email address with third parties for technical deliverability. We will only share the minimum amount of data required to facilitate this process and Data8, acting as a Data Processor, will only process data based on Charity Bank’s specific instructions. You can view Data8’s privacy notice here.
On occasion, we will be required to share your personal data with third parties for regulatory and audit purposes. We will only share the minimum amount of detail required for the purpose and will anonymise records where we can. These third parties are subject to duties of confidentiality and they will not be permitted to share your data outside their own organisation other than in exceptional circumstances, such as where there is an overriding public interest, including the prevention or detection of crime. Details of our current auditors are listed in our Annual Accounts – currently PWC and KPMG – and our regulators are the Prudential Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office. We also send information to the Department for Business, Energy & Industrial Strategy, to enable us to maintain our licence to offer Community Investment Tax Relief to eligible depositors/investors. You may click on the hyperlinks given in this paragraph to be directed straight to their privacy notices.
How we collect information about individuals
We collect personal data through a variety of methods, including through our website, application forms, postal or email communications, during meetings, at events, over the telephone, from publicly available sources and from selected third parties.
Whenever we collect information about you, we will tell you how your information will be used. This may be in the application form itself or as part of our conversation with you. If you would like to send information to us by email, please remember that email is not absolutely secure so we advise you to keep personal information to a minimum to reduce the risk of fraud.
Whenever we collect personal data from publicly available sources in order to find your contact details, we will confirm to you the source of that data in our initial communication with you. The sources of information we typically use are: the Companies House website, the Charity Commission website, an organisation’s own website and, where relevant, an individual’s “public” profile on LinkedIn (i.e., information which is available to view without being one of your “connections”).
Use of cookies by Charity Bank
At Charity Bank, we use cookies on our website as follows:
For more information about how we use cookies, please see our cookie policy.
Security and performance
Charity Bank uses a third-party service provider to help maintain the security and performance of our website. To deliver this service the provider processes the IP addresses of visitors to the website. This company is a “data processor” for Charity Bank and only processes personal information in line with our instructions.
Search engine
Our search facility on the Blog section of our website enables us to review search queries and results, these are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either Charity Bank or any third party.
Browsing our website
Charity Bank uses Salesforce Pardot to collect enquiries through website contact forms and to provide users with relevant content based on the interactions made on the website. Our CRM system provided by Salesforce stores your data securely, for more details see Salesforce’s privacy notice.
This information is used to maintain an accurate record of your details including contact preferences and the services (if any) you engage Charity Bank with.
We use a third-party providers service, Google Optimize, a company based in the US, to test various versions of our website to identify which performs best for our users. Google shares insights from Google Optimize with other Google products including Google Analytics and Google Tag Manager.
To opt out of Google Optimize, please visit our cookie policy for further details.
For more information, please see Google privacy policy. Google is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
Search engine advertising
Please note that Charity Bank advertises via search engines including Google and Bing that may lead you to our website. When you visit us from these adverts, search engines collect limited data to provide you with further internet-based advertisements related to your search interest.
To adjust your ad settings with the search engines we use, visit Bing privacy dashboard and Google help pages.
We also use Bing Universal Event Tracking, a company based in the United States to detail your engagement with our search engine advertisements and experience with our website.
To adjust Bing’s cookie access please visit our cookie policy for further details.
For more information, please see Bing’s privacy policy.
Website Publication
We use a third-party service, Enovate Design Ltd, to publish our website. The website is hosted by Enovate Design Ltd through Amazon Web Services at www.charitybank.org and supported by Amazon Relational Database Service (RDS), Amazon’s Simple Email Service (SES), GitHub & GitLab. GitHub is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
We use a standard Google Analytics & Google Tag Manager service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it.
We use a third-party provider, Amazon Web Services (AWS) CloudFront CDN and Amazon S3 (Simple Storage Service), a company with servers based in the UK and Dublin, to provide you with the highest quality images for the device that you access our website on. Users that provided us with consent to use their images are uploaded for hosting and processing by the Content Delivery Network (CDN).
For more information, please see Amazon Web Services privacy policy. AWS is registered with the EU-US Privacy Shield Framework, and is committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
For more information about how these third parties process data, please see their privacy notices as follows:
Enovate Design Ltd https://www.enovate.co.uk/privacy
Amazon Web Services https://aws.amazon.com/privacy/
GitHub https://help.github.com/articles/github-privacy-statement/
Analysis
When someone visits www.charitybank.org, or uses our online savings application process we use a third-party service, Google Analytics & Google Tag Manager to collect standard internet log information and details of visitor-behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information (other than through your IP address which we cannot link to you individually) our website, we will tell you this. We will make it clear when we collect personal information and will explain what we intend to do with it. In this case, the lawful basis for processing of this information is “legitimate interests”.
We use a third-party provider, Full Story, a company based in the US, to provide us with details on your experience using the website. We gather anonymous session videos to improve our website and fix any issues that are encountered.
To adjust Full Story’s cookie access please visit our cookie policy for further details.
To request deletion please email [email protected]
For more information, please see Full Story’s privacy policy. Full Story is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
We use a third-party provider, LinkedIn, a company based in the US, to provider us with details on your engagement with our targeted marketing activity and experience with the website.
To adjust LinkedIn’s cookie access please visit our cookie policy for further details.
For more information, please see LinkedIn’s privacy policy. LinkedIn is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard to that which is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
Links to other websites
Please note that certain hypertext links in this website may lead you to websites which are not under the control of Charity Bank. When you activate these, you may leave the Charity Bank website. These links are provided solely for your convenience and do not represent any endorsement or recommendation by Charity Bank.
Charity Bank accepts no responsibility or liability for the contents of any website to which a hypertext link exists and gives no representation or warranty as to the information on such websites. Charity Bank accepts no responsibility or liability for any loss arising from any contract entered into with any website to which a hypertext link exists.
We are currently using two third-party providers to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter
The first system, Pardot, can only be used for permission-based marketing and integrates with our CRM system provided by Salesforce. You can find out more about Salesforce and Pardot by visiting their privacy statements at: https://www.salesforce.com/uk/company/privacy/ and https://www.pardot.com/legal/
The second system, Moosend, is used to send out information by email on the basis of legitimate interests and soft opt-in. The platform is EU-based. You can view the privacy policy here: https://moosend.com/trust/privacy-policy/.
We collect information volunteered by our customers using an online survey tool hosted by Survey Monkey. This company is a data processor for Charity Bank and only processes personal information in line with our instructions. We will only use the information provided for the purposes specified in the survey, usually to help us to monitor, review, report on and improve our customer service. Whenever we share the results of the survey with our investors or members of the public, we will use the information only in ways that will not identify any individual.
For more information, please see Survey Monkey’s privacy policy. Whilst the services are provided to Charity Bank by Survey Monkey Europe, the parent company is based in the US. This parent company is registered with the EU-US Privacy Shield Framework, which means that it has committed to manage personal data to an equivalent standard as is required of companies based in the EU. You can find out more about the framework and how it protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States here.
From time to time we will engage freelance writers to produce content for our website, particularly within the News section. These individuals may carry out face-to-face or telephone interviews with specific Charity Bank contacts (including customers, employees and individuals employed by businesses working with Charity Bank) for the purposes of creating content for the website. We will always seek your consent before we arrange for an interview to take place and there is no obligation to accept our invitation. Once you have agreed to take part in an interview, we may share your contact details with the relevant freelance writer for the sole purpose of contacting you to arrange and carry out the interview.
From time to time, Charity Bank (‘we’, ‘our’) will host networking or learning and development events for our customers, contacts and staff members. Sometimes these take the form of webinars and sometimes we host live (or ‘face-to-face’) events, where Bank staff and/or customers and/or other stakeholders can meet and celebrate achievements, share experiences or just catch-up with old friends!
What personal information does Charity Bank collect and process, when attending an Event?
There are three separate aspects to this – preparation for the event, attendance at the event, and any associated post-event tasks:
a. Preparing for the Event:
If you register (or are invited) to attend one of our events, we will share relevant information about you with our business partners to help ensure that the event runs smoothly. The information shared will usually be limited to your name, job title and your organisation’s name (where relevant), together with any specific information you have provided to us in relation to your attendance at the event (such as access or dietary requirements) and will be provided for the sole purpose of facilitating the event (unless you choose to opt-in to receiving future marketing from Charity Bank where appropriate information (name, e-mail, organisation/job title (if relevant)) for this purpose will be maintained). However, we will let you know beforehand if the information that we need is different to – or more than – this.
b. Attending the Event and any post-Event tasks
We may seek to gather, process and store data in the form of photographic images, video footage, audio recordings and perhaps verbal quotes – and we will refer to this, going forward, as ‘event content’ – as well as the categories of data, as above.
What lawful basis (or bases) would apply to this processing?
Data protection legislation allows six lawful bases for data processing – and the information gathered above will usually be shared on the grounds of legitimate interests. However, where we think that any information collected may contain sensitive data (such as access or dietary requirements) then we will consider that your consent has been provided, for the specific event only, to gather and share that information with appropriate entities (such as the venue/catering suppliers etc) by the nature of supplying us with this data.
We will also seek consent, in advance of an event, if we share your contact details with any of our business partners, or if we collate or use any ‘event content’ taken in our promotional materials (see below).
We do not sell or share your information with any other third parties.
What happens at an Event?
We may engage an appropriate professional to take ‘event content’ at an event, or this may be undertaken by a designated Charity Bank staff member (usually a member of the Marketing team), for us to use in subsequent promotional material. If we are going to do this, we will let you know within our invitation and/or as part of the event sign up process how you can opt out of event content either in advance or by speaking to one of the Charity Bank team when arriving at the event.
We will keep a note of your decision for our own records and will then proceed as follows:
If feasible and appropriate, delegates who do not wish to be captured in event content will be given a sticker and shown to an area of the venue which we have marked out as a non-filming zone.
If you decide that you are content to participate/be included (in ‘event content’), you agree that we may use your image, any associated audio recordings and any verbal quotes/comments in our promotional material (including within direct marketing campaigns, on our website, in promotional literature and on our social media channels) for a period of up to five years from the date of the event and that we may store and use ‘event content’ in line with data protection legislative requirements (applying as at the date of the event). We may also share event materials with appropriate media outlets/select third parties.
Deleting data that we have collated, processed and/or stored
It is important for you to know that we cannot – nor want to – keep personal data for any longer than is required. So, we have a ‘Data Retention Policy’, to which we adhere – though we should point out that the right of erasure is not absolute, but we will try to accommodate as much as we can (subject to, for example, regulatory, legal or contractual obligations).
For any data that is not used post-event (such as that relating to ‘Preparing for the Event’), we will delete any such data within 90 days of the event.
Where consent is – or is not – involved:
Does Charity Bank engage any third-parties to process data?
To help facilitate events, we would usually use third-party service providers such as Eventbrite and SurveyMonkey and other Professional Services – appropriate due diligence and risk assessments will be undertaken on any such entities.
1. Eventbrite
2. SurveyMonkey
3. Any Other Professional Services
If you send us a private or direct message via social media, this will remain on the relevant platform in accordance with the terms and conditions of that platform.
You are now able to apply for certain personal and business savings accounts through our online platform. This is provided under licence from Sandstone Technology (Europe) Limited (a company incorporated in England & Wales which is a wholly owned subsidiary of Sandstone Technology Pty Ltd, an Australian company). Even though the parent company is based in Australia, as it may be involved in the processing of data of our customers who are EU citizens, it is legally obliged to comply with the requirements of the GDPR. You can view the parent company’s privacy policy here: Privacy Policy of Sandstone Technology Pty Ltd. Our contract is with Sandstone Technology (Europe) Limited and we would not expect this company to routinely access your personal data. We have ensured, through our contractual terms with Sandstone Technology (Europe) Limited that on the rare occasion where we are required to share personal data in order for the company to provide us with effective support services, the processing is only carried out in the UK on Charity Bank premises using Charity Bank systems under the supervision of Charity Bank staff.
If you use our online savings application process, you should be aware that we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor-behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information (other than through your IP address which we cannot link to you individually) our website, we will tell you this. We will make it clear when we collect personal information and will explain what we intend to do with it. In this case, the lawful basis for processing of this information is “legitimate interests”.
Other applications can be made by completing a paper form and posting it to us. We process the data received from the online platform and from the paper applications in the same way.
We have contracted with Flagstone Investment Management Limited (Flagstone) for the purposes of raising new deposits. If you opened a Charity Bank account through the Flagstone platform then your personal data will be processed by Flagstone for the purposes of “know your customer” requirements. We will open a savings account in the name of Flagstone and will take instructions from Flagstone in relation to your account. We will have access to the information Flagstone holds, including your personal data, for audit and compliance purposes only. We will process only the minimum amount of your personal data required to operate the account and meet regulatory requirements. Please contact Flagstone directly if you have any privacy concerns or queries about how your personal data is handled by them. The privacy policy is available here.
Initial credit checks for all new personal savers and for trustees/directors/senior managers at new business savers, are undertaken by TransUnion (the trading name of CallCredit) (a company incorporated in England & Wales which is a wholly owned subsidiary of the company CallCredit Information Group Ltd, also incorporated in England & Wales). The purpose of the contract with TransUnion is to help Charity Bank to identify and prevent the risk of fraud by (i) verifying an individual’s identity and (ii) checking the validity of sort-codes, account numbers and credit/debit card numbers. The contract requires both parties to adhere to the requirements of the DPA and has recently been amended to incorporate all the relevant GDPR requirements. The service to which we subscribe is described more fully in this web-page: TransUnion. The Privacy Policy published by the parent company, CallCredit Information Group Limited, can be found here: TransUnion General Privacy Notice. Whilst these initial checks are, for the most part, automated, we will never make a credit decision based solely on information provided by an automated service. We supplement these initial credit checks with further manual processes.
As with many banks, we offer a savings account for those under the age of 16. We are not accepting new applications for this account.
Our contractual relationship is with the adult who opens and runs this account on behalf of the child. The account is in the name of the child and the money in the account belongs to the child. The adult will open, run and close the account on the child’s behalf and must manage the account in the child’s best interests. The adult must be aged 18 or over and otherwise meet our requirements for opening this type of account. A child may only have one account with Charity Bank. Once the child reaches the age of 16, in the absence of alternative instructions from the adult managing the account, we will transfer the balance on the account to a standard 33-day notice savings account.
We will only process the personal data of a child to the extent that it is strictly necessary for us to run their account. This will typically be limited to the child’s name and date of birth since all correspondence will be sent to the adult’s address.
As a matter of policy, we do not send direct marketing material to those under the age of 18.
We provide loans to charities, charitable organisations, social enterprises and private companies limited by shares with worthwhile social impacts. We will process the personal data of trustees/directors/senior managers only to the extent necessary to make a decision on whether or not to lend to the organisation, to monitor its continuing credit quality or to decide on our actions if the borrower suffers financial stress, and to provide the primary contact with our e-newsletter.
We may, with the prior permission of the relevant individual within a borrower or potential borrower’s organisation, share that individual’s contact details and job titles with third parties such as solicitors, valuers and surveyors, but this will be for the sole purpose of contacting that individual so that they can provide services to the organisation directly. Once initial contact has been made with the relevant individual, those service providers will become responsible for their own processing of the personal data of those nominated contacts.
Any information which we send to an individual by email or post or which we provide to them over the telephone, which promotes our organisation or its products and/or services to that individual with the specific intention of securing (further) business from them falls within the definition of “direct marketing” as set the ICO. We never make automated calls or send “direct marketing” material by fax.
We may send Direct Marketing material to an individual without them requesting this (unsolicited) or we may send “direct marketing” material to an individual in response to a request (solicited) or because it relates to a product or service which is similar to one which the individual already has (related). The rules for these three types of marketing are different.
Before we send out unsolicited “direct marketing” by post, we will check that you have not registered with a preference service or previously asked us not to send you this type of information by post. If we do send you unsolicited “direct marketing” by post, we will let you know how we obtained your contact details and we will let you know how to stop receiving similar information from us in the future.
In keeping with data protection laws and legitimate interest communications, we include an “unsubscribe” option in every email communication we send to you which does not directly relate to your account or business relationship with us.
If you have asked us to send you more information about our organisation, products and services we will do so and may send this to you by email, post or by telephone, whichever we deem to be the most appropriate method (unless you have clearly stated that you do not wish to be contacted in a particular way).
On occasions, we may write to you (by post or email) or phone you about a product or service which we think may be of interest to you and which is similar to one you currently have or have had in the past. For example, if you have a 1-year savings account with us which is due to reach maturity, we will contact you to find out what you would like to do and this may include providing you with information about another savings account into which you may wish to transfer your funds upon maturity. We do not need your specific consent to send you that information, as it is not unreasonable for us to expect that you would want to receive that information at that point in time and we already have your contact details.
At times, we will follow-up postal marketing campaigns with a phone-call. Again, we will have carried out checks to ensure that you have not registered with a preference service or requested that we do not contact you in this way for marketing purposes. We will also check whether or not you are content to receive similar calls in the future. We will monitor the number of calls we make to ensure that we do not contact you too frequently.
Where we send information to an individual in their capacity as an employee in a particular role at a particular organisation, we are sending that information to the organisation, not the individual. We know that in charities and social enterprises (as opposed to sole traders), decisions are not usually made by one person. For this reason, the rules relating to “business to business direct marketing” are slightly different. If we think that your employing organisation may be interested in receiving information about our organisation and its products and services, we will write to you with relevant details, but we will let you know how we found your contact details and we will give you the opportunity to decline to receive information about us in the future. We will not, however, contact you with direct marketing about our personal savings accounts, as that would be marketing to you outside your role as a contact for your organisation.
We do not classify invitations to our Annual Impact Awards as “direct marketing” as this event is primarily an opportunity for company personnel, savers, borrowers and other business contacts to meet together to celebrate the way in which Charity Bank uses savers’ money to support charities and social enterprises and to acknowledge the great work that some of our borrowers are achieving. For this reason, we will send invitations to our personnel, current and past customers and current business contacts as a matter of course. We may send invitations by email or by post, as we deem most appropriate, although we will take into account any clearly stated preferences and will usually send invitations by post to individuals who have unsubscribed from our e-newsletter.
Invitations to other events may, on occasions, be considered direct marketing but, again, only if there is a clear intention to secure (further) business from a named individual. We will usually promote these via our website or social media, rather than inviting an individual specifically. If you do receive an invitation from us, this will usually be in response to a request from you for more information about our organisation, products or services, although we may have identified you from our own research as someone who would be interested in receiving an invitation.
To make a request to Charity Bank for any personal information we may hold, you need to put the request in writing addressing it to our Data Protection Lead at Fosse House, 182 High Street, Tonbridge, Kent, TN9 1BE. Other queries can be sent by email to [email protected].
When you submit a data protection query we will deal with this as quickly as we can and, where applicable, within any relevant statutory timeframes. Please provide as much detail in your request as possible. Please also read this Privacy Notice in full before submitting your query as you may find that the response you are seeking is contained in this document.
Charity Bank tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making an “access request”. Please provide evidence of your identity with your request, so that we can make sure that we are responding to the individual about whom the personal data relates.
If we do hold information about you, and we are able to verify your identity, we will:
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can also ask us to correct any mistakes by contacting our Data Protection Lead.
Charity Bank tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
If you want to make a complaint about the way we have processed your personal information, you can contact the Data Protection Lead at the address given above. Please provide as much detail as possible to help us to review your concerns.
When you submit a data protection complaint we will deal with this as quickly as we can and, in any event, within relevant statutory timeframes. Please remember that we will be able to respond more quickly if you provide evidence of identity with your query as we cannot provide our response until we are sure we are releasing it to the right person.
When we receive a complaint from a person, we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and share statistics showing information like the number of complaints we receive with our regulators, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. But it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for a maximum of six years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
If have a concern about the way in which we are Processing your Personal Data and we have not been able to resolve that concern directly with you, you may complain to the Information Commissioner’s Office (ICO). You may call the helpline on 0303 123 1113. Further details about how to submit a report to the ICO can be found here.
If you would like to receive a copy of this Privacy Notice in a more accessible format, for example, in Braille or large-print or audio format, please contact [email protected].
We keep our privacy notice under regular review. This privacy notice was last updated on 08 August 2022.