Privacy Notice
About this privacy notice
Here at Chorley and District Building Society, we take data privacy seriously in everything we do. We are committed to protecting your privacy and making sure that we keep any personal information you provide secure. This privacy notice sets out how we will collect and use information about you.
Chorley and District Building Society is officially classed as a data controller of your ‘personal information’. This is information about you or information from which we can identify you, such as names, work addresses, phone numbers and email addresses.
We are registered with the UK’s Information Commissioner’s Office (ICO) under registration number Z5708404.
As a data controller, we have to follow rules on the way your personal information is processed, and this privacy notice explains how and why we do so.
When we use terms such as ‘we’, ‘us’ and ‘our’ in this notice, we mean Chorley and District Building Society.
This privacy notice is not limited to our website, it is relevant for any interaction you may have with us. This includes, online, secure messaging and email communications, telephone conversations or in person at one of our branches.
Our site contains links to other websites. This privacy notice only applies to this website and how we collect and use your information. If you follow a link to any other websites, those websites have their own privacy policies and notices and we do not accept any responsibility or liability for those policies and notices. Please check the relevant privacy notice before you provide any personal information to other websites.
Our Data Protection Officer can be contacted if you have any queries about this privacy notice or wish to exercise any of the rights mentioned in it by writing to our registered address: Key House, Foxhole Road, Chorley, Lancashire PR7 1NZ or by email to DPO@chorleybs.co.uk
This privacy notice provides a brief overview of how we collect personal information, why and what we do with it. We then explain in more detail about how we collect and use your information and your rights under data protection law.
We regularly review and, where necessary, update our privacy information contained within this notice. This privacy notice was last updated on the 12 July 2024.
You can download a PDF version of our privacy notice here.
Privacy Notice
This privacy notice is broken down into the following sections:
• How we use your personal information
• Personal information and the type of information we collect from you
• Personal information we collect from others
• Transfer of your personal information outside the United Kingdom
• Profiling
• Monitoring and your personal information
• Retaining your personal information
• Your data subject rights under data protection laws and how to exercise them
• Your marketing preferences and what this means
• Data protection questions and complaints
We are committed to protecting your privacy and making sure that we keep any personal information you provide secure. We provide a brief overview here, but we explain in more detail in the remaining sections.
Overview of Privacy Notice
What information we collect and why
We may collect information about you in a variety of situations, for example as part of a mortgage application, when applying for a savings account or when providing you with a service.
We only collect what is necessary
We will only collect the information that we need to provide you with our services. We will use your information to manage your account, provide a service, keep you updated and monitor communications.
Sharing your personal information
In some circumstances, we will share your information with third parties. We will only do this where necessary and is so we can provide our service to you. For example, when you apply for a mortgage with us, we will share your information with credit reference agencies or with crime prevention agencies.
Retaining your information
We retain your personal information only for as long as is necessary. Typically, this is for as long as you have an account with us and for six years after your account is closed.
Your rights
You have lots of rights under Data Protection Law and we explain all of these in the section – ‘Your data subject rights under data protection laws and how to exercise them’. You also have the right to opt out of marketing at any time and change your preferences any time.
If you are registered with Chorley Online, you can amend your marketing preferences under your personal profile at https://online.chorleybs.co.uk/. If you are not registered with Chorley Online, you can register for Chorley Online using the same link and change your preferences from your personal profile. Alternatively, please advise the branch, in-person, on the telephone or by post that you want to change your marketing preferences, and this will be actioned. You can also write to the Data Protection Officer.
Cookies
Our website uses cookies to distinguish you from other people who use our website. This helps us to provide you with a good experience and helps us to improve our site. For detailed information on the cookies we use and what we use them for, see our cookies policy - Cookie Policy | Chorley Building Society (chorleybs.co.uk)
Data protection laws require us to explain what legal grounds justify our processing of your personal information (this includes sharing it with other organisations). We cannot collect and use your personal information unless we have a lawful reason to do so. This includes sharing it outside Chorley and District Building Society.
For some processing more than one legal ground may be relevant (except where we rely on consent, for example to send you information about products or services that we think may be of interest to you).
Some information we process falls under ‘special category’ data; this means we have to provide an additional legal basis for collecting this data.
We are authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority (FCA). This means we may also collect personal data in order to meet our regulatory obligations.
Here are the legal grounds that are relevant to us:
To fulfil a contract we have with you - this applies if you take out a mortgage or savings product with us or indicate that you wish to do so.
When it is our legal duty, or obligation - we are required to meet various legal and regulatory obligations. For example, money laundering, fraud prevention and FCA or PRA regulatory rules.
When it is in our legitimate interest - we sometimes use legitimate interest if we have a reasonable or legitimate purpose that is not mentioned as part of a contract or, when we are legally obligated to do so. This helps to manage our business as a successful building society for the benefit of all of our members and keep it safe. An example of this is sharing details with a credit reference agency.
When you consent to it - we sometimes rely on your consent to process your information. For example, in marketing campaigns.
When it is in the public interest - we rely on this the least, but this is relevant when processing is necessary to perform a task in the public interest.
If you want to find out more about the legal grounds for processing your information, you can visit the ICO website for further information and guidance:https://ico.org.uk/for-the-public/does-an-organisation-need-my-consent/
Personal information is any information that can be used to identify you as a unique individual. We will only collect the information we need to provide you with a savings account, a mortgage, to answer your questions, or with your consent, to send you information we think you will find interesting.
We collect your personal information when you:
• Apply for our products or services in branch, online or by post.
• Update your information online, in branch, over the phone, or by post (such as when you change your address).
• Visit us in branch.
• Speak to us on the phone.
• Visit our website, register with Chorley Online, use our Secure Messaging Service via Chorley Online.
• Send us letters, emails, or other documents.
• Take part in customer surveys.
• Take part in our competitions or promotions.
The types of personal information we collect from you are:
Identity details - full name, title, any previous names (where applicable), date of birth, age, and account number. We may not always need to collect ID. We conduct an Electronic Identity verification check when you apply for a mortgage or savings account with us. We will use the results of the Electronic Identity check to verify your identity where possible.
Contact details - home address, correspondence address if different, address history, email address and phone number.
Financial data - bank account number, credit/debit card number, earnings, income, expenditure, spending habits, transaction history, tax reference number and source of funds.
Family data / personal information about your family - marital status, next of kin, dependents, and emergency contact details. The type of family data we collect may vary depending on whether the savings account or mortgage being opened is a joint or sole account.
Profile data - your sex, occupation, employment status, citizenship status, residential status, property details, occupancy status and insurance information.
Identification data - driving licence, passport, National Insurance number and other national identifiers.
How you interact with us - call recordings, photographs, CCTV images or any other form of communication.
Technical data - internet protocol (IP) address, location data, operating system, time zone etc.
Special Category Data
We may also collect some (but not all) special categories of personal data. For example, as part of an application for a mortgage or savings account. Where the data we collect involves the use of special category data, we have to provide an additional legal basis for collecting this data.
The types of special category data we collect, may include:
Health data - any physical disability, mental disability, or any medical condition.
Criminal data - criminal convictions and offences, pending convictions, court records and pending orders.
Sensitive data - information about your race or ethnic origin, religion or beliefs, sexual orientation, political affiliations.
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed of any changes to your personal information, such as change of contact details etc.
The table below outlines when, what, and why we collect information from you and the legal basis for processing your information.
Your Information and why we collect it:
When we collect | What we collect | Why we collect it | Legal basis |
When you:
|
Identity data Contact data Financial data Profile data Family data Identification documents Technical Data |
To process your application, manage your accounts with us, provide an efficient and effective service. |
Necessary for the performance of a contract. |
When you:
|
Identity data Contact data Technical Data |
This is so we can manage and administer your account with us. |
Our legitimate interest |
When you:
|
Identity data Contact data Financial data Profile data Family data Identification documents |
This is so we can manage and administer your account with us. | Necessary for the performance of a contract. |
When you: Ask us to share your account information with other payment services providers or third parties, such as:
|
Identity data Contact data Financial data |
So that we can manage and administer your request, provide an efficient and effective service. | Consent |
When we are required to share your information with:
|
Contact data Financial data Profile data Family data Identification documents |
This is so that we may protect the security or integrity of our business operations and of our Members. | Our legitimate interest |
When we:
|
Identity data Contact data Financial data |
To manage and administer your accounts, provide you with an efficient and effective service. | Our legitimate interest |
When you:
|
Identity data Contact data |
To effectively investigate and deal with your query or complaint. | Our legitimate interest |
When you:
|
Identity data | Capturing CCTV images and recording in our branches and offices for safety and security of our members and staff. | Our legitimate interest |
When you:
|
Identity data Contact data Financial data |
To deal with your enquiry and help you navigate any financial difficulties or concerns. | Our legitimate interest |
When:
|
Identity data Contact data Financial data Profile data |
To make sure the registered POA is entitled to deal with the account or estate and then to follow your instructions. |
Consent Necessary for the performance of a contract |
When we:
|
Identity data Contact data Financial data Profile data |
To maintain effective and efficient services for our members, we occasionally use direct copies of live data in a test environment to test a wide range of aspects of software, including functionality, performance, usability, and security. Any data used in the test environment is safeguarded in the same way as live data and remains within the test environment. | Our legitimate interest |
When we need to:
|
Health Data Additional legal basis for health - Explicit consent We will always ask for your permission to record details of this nature. |
Sometimes our ability to make reliable financial decisions or control your financial affairs effectively may be affected by your health or personal circumstances. E.g., if you suffer a serious illness, mental health problem or bereavement. In these instances, we may ask for sensitive information so that we can provide any extra help you may need. | Our legitimate interest |
When you:
|
Identity data Contact data |
To run the competition, promotion, survey, or event. |
Consent Our legitimate interest |
When we:
|
Identity data Contact data Profiling data* |
To send you information about our products or services that we think will be of interest to you. | Consent |
* Profiling data – further information is provided in section 6 - ‘profiling’ and section 9 - ‘Your data subject rights under data protection laws and how to exercise them’.
To provide our services to you, we may need to share your details with credit reference agencies (CRAs), crime prevention organisations and third parties, but only when this is necessary.
Fraud prevention agencies such as National SIRA
Throughout our relationship with you, we, and these organisations exchange data to help prevent, deter, detect, and investigate fraud and money-laundering.
When we and the fraud prevention agencies process your personal information, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity in order to protect our business and to comply with the laws that apply to us. Such processing is also a contractual requirement of the mortgage and savings products we provide to you.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse or stop providing products or services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing, or employment to you.
If you have any questions about how we interact with fraud agencies as part of providing a service to you, please contact the Society’s Data Protection Officer. Alternatively, you can contact our chosen fraud prevention agency, National SIRA, Synectics Solutions Ltd of Hamil Road, Burslem, Stoke-on-Trent, ST6 1AJ.
Credit Reference Agencies
CRAs are used to perform credit, identity, and fraud prevention checks against public (electoral register) and shared credit information. In order to process your application, we will perform credit and identity checks on you with one or more CRAs. To do this, we will supply your personal information to CRAs, and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register, Companies House) and shared credit, financial situation and financial history information and fraud prevention information. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
We will use this information to:
- Assess your creditworthiness and whether you can afford to take the product
- Verify the accuracy of the data you have provided to us
- Prevent criminal activity, fraud and money laundering
- Manage your account(s)
- Trace and recover debts
- Ensure any offers provided to you are appropriate to your circumstances
- We will continue to exchange information about you with CRAs while you have a relationship with us
- We will also inform the CRAs about your settled accounts, If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
You can find out more about the identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights by visiting our chosen CRA, Equifax Ltd, at Credit Reference Agency Information Notice (CRAIN)| Equifax UK -https://www.equifax.co.uk/privacy-hub/crain
Brokers and other intermediaries
Our products and services are available through our own branches and on our own website as well as through professional and financial advisors and anyone else who acts as a person sitting in between you and us in relation to what we do for you. In this notice we will call these persons “brokers or other intermediaries”.
If you are using brokers or other intermediaries, our privacy notice only applies to the processing of your personal information that they may do on our behalf. You should receive a separate privacy notice from these brokers or other intermediaries where they are acting as a data controller of your personal information.
Employers / Payroll Service Providers
We may contact your employer to get a reference, for example, if you apply for a mortgage or to confirm your salary.
Social networks and other technology providers.
If you click on one of our ads or follow us on social media, we use targeting cookies to identify how effective our advertising is and provide you with information in the future that we believe is relevant to you. If we work with a third-party company, for example to get customer feedback or for social networking, that third-party organisation may set their own cookies which are controlled by them and covered by their own policies. Chorley and District Building Society is not responsible for the content of external websites.
More information about cookies and how we use them can be found in our Cookie Policy - Cookie Policy | Chorley Building Society (chorleybs.co.uk)
Personal information obtained as part of the application process:
We may obtain personal information relating to you from other individuals as part of the application process for one of our products or services.
This can include individuals who are:
- A joint applicant on an account you hold or are applying for
- A trustee on an account
- A parent
- A guardian
- A nominated representative
- Acting under a Power of Attorney or similar authority
- A mortgage broker or mortgage intermediary who is acting on your behalf
- If someone acting on your behalf provides this information, we will record what’s been provided and who gave it to us.
When you provide personal information about another individual, we will assume that you have told them that you are sharing their details and where they can find more information on how we process their personal information.
Information we collect from others:
As stated above we collect information from others in order to process your application, manage your accounts and provide a service to you. Where this involves the use of special category data (please see section ‘Personal Information and the type of information we collect from you’, for an explanation of special category data), we have to provide an additional legal basis for collecting this data.
The table below outlines when, what, and why we collect information from others and the legal basis for processing your information.
Information we collect from others and why we collect it:
When we collect it from | What we collect | Why we collect it | Legal basis |
Fraud-prevention agencies - When we are:
|
Identity data *Additional legal basis for criminal data - public interest |
This is to help us satisfy our legal obligations and decide whether or not to accept your application, and to manage your accounts with us and protect our members. |
Legal obligation
|
Credit-reference agencies - When we are:
|
Identity data *Additional legal basis for criminal data - public interest |
This is to help us satisfy our legal obligations and decide whether or not to accept your application, and to manage your accounts with us. |
Legal obligation |
When we need to involve third parties such as:
|
Identity data Contact data Financial data Profile data Family data Identification documents |
This is to help us process your payment request or application and provide an effective and efficient service. Any information collected by the third party is not covered by this privacy notice. |
Our legitimate interest |
When we need to:
|
Identity data Contact data Financial data Profile data Family data |
This helps us to assess your mortgage application and verify the information you have given to us. | Necessary for the performance of a contract |
We are based in the UK but sometimes your personal information may be transferred outside the UK or the European Economic Area (EEA) for limited purposes. We will only send your data outside of the EEA to:
- Follow your instructions
- Comply with a legal duty; or
- Work with other organisations for the purpose of providing a service on our behalf in connection with the operation of your account or membership.
When we do transfer your data outside of the EEA, there will be protective measures in place to ensure that your personal information is treated by those third parties in a way that is consistent with, and which respects, the UK or EU laws on data protection. Appropriate protective measures include, for example, model clauses in data sharing contracts and ongoing security assessments.
Profiling is an automated form of processing carried out on personal data. The purpose of it is to evaluate certain things about an individual and to predict behaviour and take decisions regarding it. For example, it can be used to determine whether a particular product or service might be of interest to you and therefore help with the decision of which email campaign to send. It can also help to ensure that we are providing a consistent service and giving people the best products and advice at the right times.
There may be some circumstances where we use your personal information for profiling. Where possible, we’ll keep your details anonymous and use your information only to produce statistical reports. This way, you will not be identifiable from the data.
You have the right to object to us using your personal information for profiling activities. Please refer to the ‘Your data subject rights under data protection laws and how to exercise them’ section for more information.
Monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records of calls, post, emails, social media messages, visits to our branches including the use of CCTV, in person face to face meetings and other communications. We may monitor where permitted by law and we will do this where the law requires it.
We may conduct monitoring:
- To comply with regulatory rules.
- As self-regulatory practices or procedures relevant to our business.
- To prevent or detect crime.
- In the interests of protecting the security of our communications systems and procedures.
- To have a record of what we have discussed with you and actions agreed with you.
- To protect you and to provide security for you (such as in relation to fraud risks on your account).
- For quality control and staff training purposes.
Some of our monitoring may check for obscene or profane content in communications.
We may conduct short term carefully controlled monitoring of your activities on your account where this is necessary for our legitimate interests or to comply with our legal obligations, for instance, where we suspect fraud, money laundering or other crimes.
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory, or contractual requirements, our standard retention period for records and other documentary evidence created in the provision of services is six years from the date that our contractual relationship ends.
We use CCTV in our branches for the safety and security of our members and staff and in deterring criminal activity. We will generally keep CCTV images for two months after the image is captured. If the images are needed to detect a crime, or for the purposes of criminal proceedings, we may keep them for longer.
When we refer to ‘data subject’, we mean the person that can be identified or is identifiable from the personal data. The data could be your name, address, telephone number or something else. In this context, ‘data subjects’, will usually be our customers. Anyone else whose personal data we use will be a data subject too.
Under data protection laws you have the following rights. They do not apply in all circumstances and if you wish to exercise any of them, we will explain at that time if they apply or not.
The right to be informed about the processing of your personal information. This privacy notice includes all of the information we are required to provide you under this right.
The right to request access to your personal information and obtain information on how we process it. Upon request, we will provide a copy of the personal information we hold on you. You can make a request to access the information we hold about you by writing to our Data Protection Officer, email or verbally at the contact details contained within this privacy notice.
We will respond within one calendar month, starting from the day we receive your request. If we need something from you to be able to deal with your request (e.g., identification documents), the time limit will begin once we have received this.
If your request is complex or you make more than one, the response time may be a maximum of three calendar months, starting from the day of receipt.
The right to have your personal information rectified or corrected if it is incomplete or inaccurate. If we have disclosed your personal information to others, then where necessary we will also notify them of the change to your information.
The right to have your personal information erased. This right only applies where our processing of your information was unlawful, our processing is no longer necessary, we no longer have a legitimate interest to process your information, or where our processing is based on consent, and you wish to withdraw that consent. The right to erasure does not apply if we are required to retain your information to comply with a legal obligation or for the establishment, exercise, or defence of legal claims.
The right to restrict the processing of your personal information. This means that we will continue to store your personal information but will not use it if; you believe that the information we hold relating to you is inaccurate and we are verifying the accuracy of it; we have processed your information unlawfully; we no longer need your personal information but you require us to keep it in order for you to establish, exercise or defend a legal claim; or you have objected to the processing of your personal information and we are assessing whether our legitimate grounds for processing override your rights.
The right to data portability. This means that you have the right to move, copy, or transfer your personal information from our IT environment to another in a safe and secure way, so that it can be reused for your own purposes across different services. This right is different to the right to request access (see above), and you will not be able to obtain a copy of all of your personal information by exercising your right to portability. The right to portability applies to personal information that you have provided directly to us, where we process it based on your consent or for the performance of a contract, and where it is carried out by automated means (thereby excluding paper records).
The right to object to the processing of your personal information. You have the right to object to us processing your information on the basis of legitimate interests or for the purposes of direct marketing. We will stop processing your personal information unless we are able to demonstrate that we have compelling legitimate grounds for processing which override your rights, interests, or freedoms or if processing is needed for the establishment, exercise, or defence of legal claims.
The rights relating to automated decision making and profiling. Automated decision making is when a computer-based decision is made about you without a person being involved. We do not undertake any automated decision making with your personal information.
You also have the right to complain to the ICO which enforces data protection laws: https://ico.org.uk/
For more details on all of the above rights, you can contact our Data Protection Officer.
Occasionally, we may provide you with information about other products and services offered by the Society. We do this only if we have a legal ground which allows it under data protection laws. The Society does not share your data with any other organisation for marketing or promotional purposes.
When marketing to you as an individual, we will rely on the lawful basis of either your prior consent or legitimate interest to contact you, such as by phone, email, secure messaging, SMS text, or post, to tell you about new products or services we have, are developing or which we think may be of interest to you.
You have the right at any time to stop us from contacting you for marketing purposes and may opt out at any time. If you are registered with Chorley Online, you can amend your marketing preferences under your personal profile at https://online.chorleybs.co.uk/. If you are not registered with Chorley Online, you can register for Chorley Online using the same link and change your preferences from your personal profile. Alternatively, please advise the branch, in-person, on the telephone or by post that you want to change your marketing preferences, and this will be actioned. You can also write to the Data Protection Officer.
If you have any concerns about how we use your personal information, your data rights, or if you wish to raise a complaint, you can contact us directly, using the contact details provided in this notice.
If you are not satisfied with the way we handle your complaint, you can raise a complaint directly with the UK Information Commissioner’s Office via the details available on their website: https://ico.org.uk/make-a-complaint/