Privacy notice

What is personal data?

By “Personal Data”, we mean any data that can be used to identify you directly or indirectly. “Special Category Data” is unique information about you that can include your race, ethnicity, religion, political affiliations and health data. This data is more sensitive and requires additional protection. “Criminal Offence Data” is a separate category but may form part of a larger record which contains special category data. 

In this section, we outline who we collect personal data from as part of our application process and then the types of information we may hold. You are not obliged to provide the data requested. However, by not doing so, you may limit your organisation’s ability to apply for a product with us or use our services.

We require personal data from different individuals when your organisation applies for a product with us, including:

• Trustees
• Signatories
• Account contacts
• Online banking users
• Cardholders
• Directors
• Ultimate beneficial owners

Information we hold about you might include:

• Personal details
• Contact details
• Nationality
• Marketing preferences
• Payment information and details of transactions you carry out on behalf of your organisation
• Credit-related information
• Identity information, proof of address or source of funds information
• Information about criminal convictions and offences
• Information obtained and learnt about you through communication (including emails and call recordings)
• IP address, operating systems and browser behaviour
• Technical information relating to how you use and access our products and services, such as the type of device
• Technical information and details of your visit to our website or apps associated with our website
• Details about your health and lifestyle, including support needs
• Additional information you submit through third party websites, for example, on social media

Purposes for using your personal data

In limited circumstances, we may need to process special category or otherwise sensitive personal data to provide our services or to meet our legal and regulatory obligations. This may include information relating to your nationality and criminal convictions as part of our Know Your Customer (KYC) and fraud prevention checks, as well as health-related information where you voluntarily provide it or where it can be inferred from any support needs you disclose.

We only record the support or adjustments required and do not document the underlying health condition or vulnerability. Similarly, where criminal conviction data is processed, we record only what is necessary for regulatory and fraud prevention purposes. Where we process this type of data, we usually do so on the basis that it is necessary for reasons of substantial public interest.

As a data controller, we are responsible for ensuring that we have a lawful basis for processing your information. The UK GDPR sets out several legal bases for processing personal data. Figure one sets out some of the purposes for which we use your information and the lawful basis for doing so.



Figure one: examples of why CAF Bank collects data.

 

Why we collect this data?	Lawful basis for our processing
To process an application for a CAF Bank product or service. This data enables us to: Carry out identity, anti-money laundering and credit checks. This includes ensuring you meet our age requirements to be associated with a CAF Bank product. Assess your application using profiling. Respond to your enquiry regarding products and services.	Necessary for the performance of a contract or taking steps prior to entering a contract
To manage and administer your account. We use this data to deliver our services, including to: Respond to queries raised by email, post or phone. Address enquiries or complaints received. Update your records to ensure we hold accurate data. Send communications to service your account. Answer questions and solve any issues in connection with your account. Record calls for training and quality assurance purposes. Ensure we meet any additional needs you may have to manage the product on behalf of your organisation if you are or become a vulnerable individual. Allow you to deposit and withdraw from the account. Carry out ongoing due diligence.	Necessary for the performance of a contract or taking steps prior to entering a contract Legal obligation  Substantial public interest  We have a legitimate interest in making sure that our products and services operate efficiently and securely. This includes keeping accurate records, responding to queries, monitoring quality, maintaining service continuity, and supporting day-to-day account management to provide a reliable service and protect customers, employees and systems.
To meet our legal and regulatory obligations. This data is essential to help us: Send regulatory communications. Share data with law enforcement agencies to investigate or prevent crime. Identify and manage risks to the organisation, including fraud and money laundering. Manage requests from you to exercise your right under data protection laws. Establish, defend and enforce any legal action.  Comply with laws that apply to us, including regulatory reporting requirements.	Legal obligation  We have a legitimate interest in protecting the organisation from financial, operational and regulatory risk. This includes conducting investigations, managing risk, resolving disputes and responding to regulatory enquiries to maintain the integrity of our operations.
To audit and assure our processes and service. This data informs internal and external audits, alongside other administrative and operational activities to: Examine and evaluate the effectiveness of internal controls such as systems' tests.	We have a legitimate interest in reviewing and improving our internal processes, systems and controls. These audits help us keep operations compliant, secure and effective, protect customer information, and support ongoing improvement across the organisation. Legal obligation
To prevent and investigate fraud and financial crime. We use this data to: Identify, detect, investigate and report suspicious activity, preventing and tackling fraud and financial crime.	Legal obligation  We have a legitimate interest in protecting our business, customers, and the wider financial system from fraud and financial crime. This includes monitoring suspicious activity, detecting suspicious behaviour, and taking action to safeguard the organisation and our customers.
For market research and business analysis. Our analysts draw on the data to: Create, test or evaluate strategies to help improve services. Develop and improve products and services, by assessing usage information. Internally test CAF Bank's products and website. Help diagnose system issues.	We have a legitimate interest in analysing the use of our products and services to improve, develop and tailor them. This includes identifying trends, service enhancements, system performance issues and user experience improvements, helping to ensure our products and services are effective and relevant.
For marketing purposes. The data allows us to: Tell you about products, services and content that may be of interest to you.	We have a legitimate interest in promoting relevant products and services, including sending updates or information about similar offerings. Charitable organisations may also receive useful insights. Individuals can opt out of receiving marketing communications at any time.

Who we share your personal data with

Credit reference agencies 

We may share your personal information with credit reference agencies (CRAs) to help validate your identity. To carry out these checks, we may provide the information you have given us to CRAs, who will return information about you. This may include information from a range of sources such as Royal Mail, local authorities, Insolvency Service and information from fraud prevention databases. These checks will be carried out as soft searches, which do not affect an individual's credit score.

Where an individual  is acting on behalf of the organisation in connection with, a loan or other credit facility, we may also carry out checks with CRAs to help assess suitability. This includes whether the individual is appropriate to enter into or sign such agreements on behalf of the organisation. This may include credit-related information such as credit commitments, repayment history and information about individuals with whom you are financially associated (for example, a person with whom you have a joint financial agreement or shared financial responsibility). 

The type and level of information returned may vary depending on the nature of the check carried out.
For more information on CRAs, including their relationship with fraud prevention agencies, please refer to Equifax: https://www.equifax.co.uk/privacy-hub/crain

Fraud prevention agencies

We may share personal information with fraud prevention agencies (FPAs) and other organisations involved in the prevention and detection  of fraud, financial crime and other unlawful activities. These organisations may process personal information to carry out checks, validate identities, and help detect or prevent fraud, money laundering and other criminal activity.

If fraud or criminal activity is suspected or identified, personal information may be shared with and recorded by these organisations. The information may also be used by them, and other organisations to help prevent fraud and financial crime and to make decisions about services, including those relating to employment, credit or insurance. As a result, we or other organisations may refuse to provide a service or cease to deliver existing services if fraud or criminal activity is detected

For more information on FRAs, please refer to Cifas: https://www.cifas.org.uk/fpn

Service providers

We may share personal information with trusted third party service providers who support us in delivery of our services and operating our business. These include:

• Providers of IT systems and infrastructure (such as cloud hosting, backup and server providers)
• Outsourced service providers
• Other professional, technical or administrative providers that assist us with functions such as communications, data storage, system maintenance, compliance and risk management and business operations.

These providers are contractually bound to provide an adequate level of protection to your personal data, in accordance with data protection laws. 

CAF

Where necessary, we may share personal information with the other organisations within CAF. This may be for internal administrative purposes, to support business development activities, and to enable the provision of shared services and centralised business functions. These may include technology and infrastructure services, operational and administrative support, marketing and communications, and other support functions. Any personal data sharing within CAF will be limited to what is necessary and carried out in accordance with applicable data protection laws and appropriate security and confidentiality safeguards.

Regulatory, government authorities, law enforcement agencies 

We may disclose personal information to regulators, government authorities, law enforcement agencies, courts and other public and statutory bodies. This is where it is necessary to comply with legal or regulatory obligations, respond to lawful requests or to establish, exercise or defend legal claims. These may include organisations such as the FCA, PRA and ICO, police or any other legal, governmental or regulatory body, including statutory dispute resolution or compensation bodies such as the Financial Ombudsman Service and the Financial Services Compensation Scheme.

This list is not exhaustive. For more information, please contact us.

Restructure, sale or acquisition

We may share or transfer personal data if we sell, transfer or reorganise part or all of our business, or if we merge with or are acquired by another organisation. Where this happens, personal data may be shared with relevant third parties and transferred to the new owner of the business, subject to appropriate safeguards. Any personal data transferred will continue to be used in accordance with this privacy notice and applicable data protection laws. 

Links to third party websites

Our website may include links to third party websites or platforms, such as social media. These sites operate independently from us and have their own privacy notices. We recommend reviewing those notices before providing any personal information, as we are not responsible for how those organisations handle your data.

How we keep your personal data safe

We take the security of your information extremely seriously.

We use appropriate security controls to prevent the personal data that we hold from being accidentally or deliberately compromised. The controls cover our IT networks and information systems (cybersecurity), as well as our physical and organisational security.

We align our processes to comply with industry security standards, such as ISO27001, and are compliant with the PCI Date Security Standards. 

CAF Bank has procedures in place to deal with any suspected personal data incidents. If a breach occurs, we will notify you and any applicable regulator where we are required to do so.

Retention of your personal data

We will only keep your personal data for as long as is required to meet the purposes the data was collected for, as explained within our privacy notice. We may retain your personal data for longer if there is a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you. To determine the appropriate retention period for personal data, we consider your rights and freedoms and what the law requires us to do. This is generally seven years from the end date of your relationship with us.

Once your personal data is no longer required, it will be deleted or anonymised. This is in line with our policies and processes, which consider the legal obligations placed upon us.

Details of retention periods for different aspects of your personal information are set out in our retention policy. You can request a copy of this by contacting us.

Marketing communications

From time to time, we may use your information to keep you informed about products, services and content that we feel may be of interest to you. This includes third party marketing (from for example, other organisations within CAF). You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise this right, you can do so via the ‘unsubscribe’ link on any emails received or by contacting us.

Automated decision making

We do not make decisions that significantly affect individuals based solely on automated processing. 

As part of our fraud prevention and financial crime controls, we use automated systems to monitor accounts and transactions. These systems apply predefined rules and thresholds to help identify activity that may be unusual or potentially suspicious. System-generated alerts flag any such activity for further review.

Where alerts are generated, they are assessed by appropriately trained employees who determine whether any action is required. Decisions affecting customers are therefore not made solely by automated means and involve human review and intervention.

Your data subject rights

Your personal data belongs to you, and current data protection law gives you rights in relation to this data. These rights can be exercised at any time and free of charge. You have the right to:

• Be informed
  We need to let you know what we do with your personal data in this privacy notice or when you ask us
  
  
• Access
  You have the right to request a copy of the personal data we hold about you. The information you receive as part of this process will only relate to you as a data subject. We will not provide any information relating to the organisation with which you are associated, or other individuals related to that organisation.
  
  
• Rectification
  You have the right to amend information you think is inaccurate and to ask us to complete information that you think is incomplete. However, we may need to verify the accuracy of the new data you provide to us.
  
  
• Erasure
  You have the right to request ‘to be forgotten’ and for your personal data to be removed or deleted. This is not an absolute right and there may be times where we must retain your data for legal reasons, even after you have enacted your rights.
  
  
• Restrict processing
  In certain circumstances, you can tell us that you do not want your data used for a particular purpose. We may demonstrate that we have compelling legitimate reasons to process your information that override your right to object.
  
  
• Data portability
  You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. This only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with us.
  
  
• Object to processing
  You can object to us processing your personal data at any time for marketing purposes (including carrying out profiling). In some cases, you can object to other uses of your data where the processing relies on our legitimate interests.
  
  
• Request a review of automated decision-making including profiling
  This means you have the right not to be "subject to a decision which is based solely on automated processing (without human involvement)”, where that decision “produces a legal effect” or “may significantly affect you". You can request that our team reviews any such decisions made.

• Withdraw consent
  If we use your personal data based on your consent, you can withdraw that consent at any time.

How to exercise your rights

You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. 

Should you wish to exercise your data subject rights, please contact us.