Privacy policy
Overview
At Zempler Bank, your privacy and security of personal information is of great importance to us. As the data controller, we are committed to transparency and protection of your privacy rights. This notice outlines how we collect, process, and safeguard your personal data when you use or apply for any of our products and services.
1. Your personal data
1.1 General
(i) Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
(ii) The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
(iii) Details of the personal information that will be processed are explained below and include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including Internet Protocol (IP) address and vehicle details.
(iv) We, along with fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
(v) We process your personal data on the basis that either it is required for the performance of our contract with you, or we have a legitimate interest in processing the data. An example would be verifying your identity to prevent fraud and money laundering, to protect our business and comply with laws that apply to us. More details on the legal bases used for processing can be found below.
(vi) Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
(vii) As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with known fraudulent conduct or money laundering, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making; if you want to know more, please contact us using the details below.
1.2 Source of data
We generally collect personal data from the following sources:
(i) Information that you provide to us or as set out below:
a) When you apply for our products and services
b) When you talk to us on the phone (including recorded calls), web chat, social media or other communication channel
c) In emails and letters
d) When you use our websites or the Zempler Bank app
e) When you take part in customer surveys, focus groups or feedback sessions
f) When you take part in prize draws or other special promotions
(ii) Third parties and external organisations:
a) Companies that introduce you to us
b) Card schemes or associations
c) Credit reference agencies
d) Comparison websites
e) Social networks
f) Fraud prevention agencies
g) Public information sources such as Companies House
h) Agents working on our behalf
i) Market researchers
j) Government and law enforcement agencies
k) Media outlets
l) Agents working on your behalf (e.g. a business account applicant providing personal data of other directors, Persons of Significant Control or Beneficial Owners when applying)
1.3 The data that we may process
(i) The data that we may process includes the following:
a) Your Internet Protocol (IP) address, geographical location, login and browser details, operating system, information accessed and loaded, time spent, and pages visited, technical information about your computer or mobile device.
b) Data in respect of the use and operation of your account. This data may include your account name, your name, email address and account number, profile pictures, gender, date of birth, relationship status, financial history, education details and employment details.
c) Your contact details, your card details and the transaction details.
d) Imagery, such as photo identification or photographs that you have provided to us.
e) Any documents sent to you by us, such as Proof of Address documents.
1.4 The purposes for which we may process your personal data:
(i) We may process your personal data for the following purposes, to enable us to:
a) determine how you use the Zempler Bank app, Online Banking, our website and social media pages also how you use our products and services. The legal basis for this processing is our legitimate business interests, namely so we can monitor the use and effectiveness of our products, services, the Zempler Bank app, Online Banking along with our website and social media pages and communications.
b) provide products and services and manage the operation of your account. The legal basis for this processing is the performance of a contract between you and us and/or taking steps to enable us at your request, to enter into such a contract.
c) make enquiries and conduct investigations about the supply of purchased goods and services and keeping records of these transactions. The legal basis for this processing is because we have a legal obligation as well as our legitimate business interests, namely to help us detect fraud and crimes generally, to enable us to comply with general regulatory requirements and to resolve any issues and queries that may arise.
d) perform the requirements that may arise with respect to credit agencies, fraud prevention agencies and for crime prevention generally. Zempler Bank may take decisions about your application and your account on the basis of automated checks via a credit scoring system which we will undertake from the credit agencies, fraud prevention agencies and internal Zempler Bank records. Where we use automated decision making, you have a right to appeal if your application is refused. You should also be aware that where we make these checks, credit and fraud prevention agencies may keep a record of them. The legal basis for this processing is our legal obligation to undertake reasonable steps to act prudently, prevent financial crime and fraud.
e) measure the effectiveness of our service and conduct customer surveys to enable us to improve our services, the effectiveness of the Zempler Bank app and the website. The legal basis for this processing is our legitimate business interests, namely to enable us to provide you with services and improve the quality of the services generally.
f) where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure as well as where we have a legal requirement to process such data. The legal basis for this processing is we have a legal obligation, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
g) if you consent to receiving marketing information (for example, during the application process), we may process your personal data to contact you with details of products and services we think may be of interest to you. If you do not want us to share personal data or to receive such communications, you can update your marketing preferences through our Online Banking portal or through Customer Services.
h) if you consent to using our eligibility checking services, we will use the information you provide, along with information provided by third parties, to check the likelihood of you being accepted for a product with us and give you an indication of this. The check will not affect your credit score. The legal basis for this processing will be consent.
i) we may process any recordings of calls made to us through speech-to-text conversion systems. This is done to allow processing of call transcripts to better prevent fraud and improve analysis in order to identify potentially vulnerable customers. The legal basis of this processing will be legal obligation. As this process could include any call it is possible that sensitive data may be included in this process. We have taken steps to adequately protect this data throughout the process. Our legal basis for processing of sensitive data under GDPR Art. 9 is reasons of substantial public interest, including preventing or detecting unlawful acts, regulatory requirements, preventing fraud and safeguarding of economic well-being of certain individuals.
j) we may process your data for the purpose of testing new products and services, both internally and with third-party suppliers. Where we do this, we will take steps to ensure that your data is sufficiently protected and all legal requirements for any data transfers are complied with. Your data will only be used for testing purposes for the minimum amount of time required to complete those purposes.
1.5 Consequences of processing
(i) If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.
(ii) A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details below.
1.6 Personal data shared with others
(i) We may disclose your personal data where you have given your consent.
(ii) We may disclose your personal data to our insurers, product analysis companies and/or professional advisers for insurance purposes, to enable us to manage claims and for any business transactions and enquiries that relate to the analysis of our products and your business generally.
(iii) We may also share your personal data with processors, agents and advisers who we use to help us run your accounts and services, prevent fraud and collect overdue payments or otherwise recover debt.
(iv) As indicated above it may be necessary to disclose your personal data to credit reference agencies ("CRAs"), fraud prevention agencies and companies providing fraud management services. The CRAs we use are:
- TransUnion (formerly Callcredit Information Group)
- Equifax Limited
- Experian Limited
We will also add to your records at the CRA details of:
- any agreement entered into with us
- the payments that you make under such agreements
- any default or failure by you to keep the terms of such agreements. CRAs will record the outstanding debt
- any failure by you to tell us about a change of address where a payment is overdue.
CRAs may supply this information to other organisations.
(iv) Financial transactions relating to your account may be disclosed to our payment services providers. We’ll share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
(v) In addition to the specific disclosures of personal data set out in this Section 5, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we’re subject, to protect your vital interests or the vital interests of another natural person or to HM Revenue & Customs, regulators and other authorities.
(vi) Any information you provide in relation to the Zempler Bank app is disclosed to our third-party agents who act on our behalf. This is for operational reasons; to provide the Zempler Bank app to you.
(vii) We may disclose your personal data with organisations that introduce you to us, any organisations that you ask us to share your personal data with and with market researchers.
(viii) We may disclose your personal data to our creditors (in the case of insolvency) or potential transferees of our rights and obligations under any agreements you have entered into with us.
(ix) We may share data about your account including account number, expiration date and account status with other organisations using the Mastercard Automatic Biller Updater service.
1.7 International transfers of your personal data
(i) We’ll only send your data outside of the European Economic Area (“EEA”) to:
a) Follow your instructions
b) Comply with a legal duty
c) Work with our processors, agents and advisers who we use to help run your accounts and services
(ii) If we do transfer information to our agents or advisers outside of the EEA, we’ll make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:
a) Transfer it to a non-EEA country that has received an Adequacy Decision by the EU, evidencing that their privacy laws give the same protection as the EEA.
b) Put in place a contract utilising the Standard Contractual Clauses (as created by the EU) with the recipient that means they must protect it to the same standards as the EEA; we will complete a due diligence process to ensure the Standard Contractual Clauses can be utilised effectively in the destination country, and if not will either add to them to mitigate the risk or use another method.
(iii) Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
1.8 Retaining and deleting personal data
(i) This section sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
(ii) Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
(iii) It’s our policy generally to retain your personal data for at least 5 years after our relationship with you ends, although this may be extended where there are specific regulatory requirements to do so.
(iv) We maintain a Data Retention Policy which outlines the maximum retention period for all types of personal data within the business.
2. Amendments
2.1 We may update this policy from time to time by publishing a new version on our website.
2.2 We may notify you of changes to this policy through the Online Banking site on our website.
3. Your rights
3.1 Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
3.2 For more information or to exercise your data protection rights, please contact us using the contact details below.
3.3 You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data.
Our data protection officer's contact details are: [email protected]. You can contact us to exercise any of your rights in relation to the processing of your data and on any matters that are covered by this policy generally.