Full Privacy Statement
WHO WE COLLECT DATA FROM
We collect data from anyone who enquires and/or makes an application for investment from Co-operative and Community Finance.
HOW WE COLLECT YOUR DATA
Most of the information we hold about you has been provided directly to us by you. We also collect data from your use of our website. Please see our Cookies Policy for details.
We also collect data from publicly available resources. For example, Companies House and the Financial Conduct Authority.
WHAT WE COLLECT
Co-operative and Community Finance is the ‘controller’ of the personal data you (the ‘data subject’) provide to us. We will usually collect basic personal data about you like your name, postal address, telephone number, email address from you as part of the loan application process, membership and investment applications and requests to me included on our mailing list.
WHERE DOES THAT INFORMATION GO
We will process your personal information for our legitimate business interests, which include some or all of the following:
• Internal records
• processing of applications
• To undertake statistical analysis (sensitive data will be anonymised)
• To improve our communication and services
• To assess your eligibility
• To comply with money laundering regulations
WHERE ELSE DOES YOUR DATA GO
We do not share your data with anyone else or any other organisation unless it is necessary for the purpose for which you give us the data. Examples include:
• Providing application information to investment panel members
• Sharing data on recipients of investment with funders
• Providing data to third parties that provide specific services to us. A contract is in place with third party data processors and they are not permitted to use your data beyond the specific reason we have requested
Some of our suppliers (Data Processors) run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
KEEPING DATA SAFE
We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of, your personal information.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our staff receives data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.
Our electronic data is stored within secure servers. Paper copies of any personal data are stored in secure locked cabinets.
HOW LONG WILL WE HOLD YOUR DATA FOR
We will not retain your information for longer than is contractually required.
TAKING CONTROL YOUR PERSONAL INFORMATION
We want to ensure you remain in control of your personal data. The new General Data Protection Regulations (GDPR), which are being brought in on 25 May 2018, give everyone a number of very important rights. These include:
• the right to ask us to remove your personal data from our records (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
• the right to have inaccurate data rectified
• the right to request a copy of the information we hold about you
You can ask to be removed from our database at any time by contacting Alain Demontoux, at firstname.lastname@example.org.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
If you believe that any information we are holding on you is incorrect or incomplete, please contact Alain Demontoux, at email@example.com as soon as possible. We will promptly correct any information found to be incorrect.
You can make a subject access request, this should be made in writing to Alain Demontoux, Brunswick Court, Brunswick Square, Bristol BS2 8PE.
Under the new GDPR, we have a number of lawful reasons that we can use (or ‘process’) your personal information. One of these lawful reasons is called ‘legitimate interests’.
Broadly speaking, ‘legitimate interests’ means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests.
If you have any questions about this privacy statement, please contact Alain Demontoux, at firstname.lastname@example.org or call 0117 9166750.