How we collect, share, and use your personal information.
Chorley Building Society is officially classed as a data controller of your ‘personal information’. This is information about you or from which we can identify you, such as names, work addresses, phone numbers and email addresses.
We are registered with the UK’s Information Commissioner’s Office (ICO) under registration number Z5708404.
As a data controller, we have to follow rules on the way your personal information is processed, and this privacy notice explains how and why we do so.
When we use terms such as ‘we’, ‘us’ and ‘our’ in this notice, we mean Chorley and District Building Society.
Our Data Protection Officer can be contacted if you have any queries about this privacy notice or wish to exercise any of the rights mentioned in it by writing to our registered address: Key House, Foxhole Road, Chorley, Lancashire PR7 1NZ or by email to DPO@chorleybs.co.uk
This privacy notice may be updated from time to time. You should check this page regularly so that you can read the up-to-date version.
Personal information is any information that can be used to identify you as a unique individual. Further information about how we use your data can be found in this privacy notice.
We collect your personal information when you:
The types of personal information we collect from you include:
It is important that the personal information we hold about you is accurate and up to date.
Please keep us informed of any changes to your personal information during your relationship with us, such as change of contact details etc.
|Purpose / Activity
|Types of Personal Information
|Registering as a Broker with Chorley including through the Broker Online system
|Necessary for the performance of a contract
|Processing an application for a product or service with Chorley
|Necessary for the performance of a contract
|Managing and administering your Broker Online account
|Necessary for the performance of a contract
|Preventing and investigating fraud
|Our legitimate interest / Legal obligation
|Collecting IP address when using our web site to detect suspicious activities
|Our legitimate interest
|Sharing relevant marketing about products and services
|Consent / Legitimate Interest
Unless required to do so by law, or for other similar reasons, other than those outlined we will never otherwise share personal information without legal basis or without ensuring the appropriate care and necessary safeguards are in place; we will in any other event ask for your consent to share that information and explain the reasons.
Where necessary, we share your personal information with:
We are based in the UK but sometimes your personal information may be transferred outside the UK or the European Economic Area (EEA) for limited purposes. We will only send your data outside of the EEA to:
When we do transfer your data outside of the EEA, there will be protective measures in place to ensure that your personal information is treated by those third parties in a way that is consistent with, and which respects, the UK and EU laws on data protection. Appropriate protective measures include, for example, model clauses in data sharing contracts and ongoing security assessments.
In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, post, emails, social media messages, in person meetings such as industry events or relationship management meetings and other communications. We may monitor where permitted by law and we will do this where the law requires it. In particular, where we are required by the Financial Conduct Authority’s regulatory regime to record certain telephone lines or in person meetings (as relevant) we will do so.
Some of our monitoring may be to comply with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, be in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide security for your Broker Online account and for quality control and staff training purposes.
Some of our monitoring may check for obscene or profane content in communications.
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory, or contractual requirements, our standard retention period for records and other documentary evidence created in the provision of services is 6 years from the date that our contractual relationship ends.
Under data protection laws you have the following rights. They do not apply in all circumstances and if you wish to exercise any of them, we will explain at that time if they apply or not.
The right to be informed about the processing of your personal information. This privacy notice includes all of the information we are required to provide you under this right.
The right to request access to your personal information and obtain information on how we process it. Upon request, we will provide a copy of the personal information we hold on you. To action this right, you may wish to complete the Society’s Data Subject Access Request form which is available electronically here.
The right to have your personal information rectified or corrected if it is incomplete or inaccurate. If we have disclosed your personal information to others, then where necessary we will also notify them of the change to your information.
The right to have your personal information erased. This right only applies where our processing of your information was unlawful, our processing is no longer necessary, we no longer have a legitimate interest to process your information, or where our processing is based on consent, and you wish to withdraw that consent. The right to erasure does not apply if we are required to retain your information to comply with a legal obligation or for the establishment, exercise, or defence of legal claims.
The right to restrict the processing of your personal information. This means that we will continue to store your personal information but will not use it if; you believe that the information we hold relating to you is inaccurate and we are verifying the accuracy of it; we have processed your information unlawfully; we no longer need your personal information but you require us to keep it in order for you to establish, exercise or defend a legal claim; or you have objected to the processing of your personal information and we are assessing whether our legitimate grounds for processing override your rights.
The right to data portability. This means that you have the right to move, copy, or transfer your personal information from our IT environment to another in a safe and secure way, so that it can be reused for your own purposes across different services. This right is different to the right of access (see above), and you will not be able to obtain a copy of all of your personal information by exercising your right to portability. The right to portability applies to personal information that you have provided directly to us, where we process it based on your consent or for the performance of a contract, and where it is carried out by automated means (thereby excluding paper records).
The right to object to the processing of your personal information. You have the right to object to us processing your information on the basis of legitimate interests or for the purposes of direct marketing. We will stop processing your personal information unless we are able to demonstrate that we have compelling legitimate grounds for processing which override your rights, interests or freedoms or if processing is needed for the establishment, exercise or defence of legal claims.
The rights relating to automated decision making and profiling. Automated decision making is when a computer-based decision is made about you without a person being involved. We do not undertake any automated decision making with your personal information.
You also have the right to complain to the Information Commissioner’s Office which enforces data protection laws: https://ico.org.uk. For more details on all of the above rights, you can contact our Data Protection Officer.
Your personal information may be converted into statistical or aggregated data which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this privacy notice.
Occasionally, we may provide you with information about other products and services offered by the Society. We do this only if we have a legal ground which allows it under data protection laws. The Society does not share your data with any other organisation for marketing or promotional purposes.
When marketing to you as an individual (including individual sole traders and partnerships), we will rely on the lawful basis of either your prior consent or legitimate interest to contact you, such as by phone, email, push notifications, SMS text, or post, to tell you about new products or services we have or are developing which we think may be of interest to you.
You have the right at any time to stop us from contacting you for marketing purposes and may opt out at any time by contacting the DPO.
Updating this notice
We regularly review and, where necessary, update our privacy information contained within this notice. This was last updated on 19 October 2023.