On 25 May 2018 the Data Privacy laws will change. Giving you the individual more rights on how your information is collected and processed. Thistle Credit Union is committed to protecting our members’ privacy. The credit union requires any information marked as mandatory for membership to either meet legal obligations or to enable us to perform our contract with you. Where you are not able to provide us with this information, we may not be able to open an account for you. Where we request further information about you not required for these reasons, we will ask you for your consent.

How we use your Personal Information This privacy notice is to let you know how Thistle Credit Union promises to look after your personal information. This includes what you tell us about yourself, what we learn by having you as a customer, and the choices you give us about what marketing you want us to send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you.

• To keep your information safe and private.

• Not to sell your information.

• To give you ways to manage and review your marketing choices at any time.

Protection by Law

Data Protection law says that we are allowed to use personal information only if we have a proper reason to do so. This includes sharing out with the credit union. The Law states that we need one or more reasons to do this.

• confirm your identity

• perform activity for the prevention of financial crime

• carry out internal and external auditing

• record basic information about you on a register of members

• deal with your account(s) or run any other services we provide to you;

• consider any applications made by you;

• carry out credit checks and to obtain and provide credit references

• undertake statistical analysis, to help evaluate the future needs of our members and to help manage our business

• To send you statements, new terms & conditions (including changes to this privacy statement), information about changes to the way your account(s) operate and notification of our annual general meeting.

A legitimate interest is when we have a business reason for using your information, but it must be what is right for you. Examples of legitimate interests could be:

• Keeping our records up to date, working out which of our products and services may interest you and telling you about them.

• Seeking your consent when we need it to contact you.

• Developing and improving how we deal with financial crime, as well as doing our legal duties in this respect.

• Complying with regulations that apply to us.

• Being efficient about how we fulfill our legal and contractual duties.

Thistle Credit Union will collect information about you from a few different sources. In the first instance we would collect information from you when you join as a member. We would also collect information from the services that you use with us and from 3rd parties.

Information you give us:

• When you apply for our products and services

• When you talk to us on the phone or in branch

• When you use our websites or interact with our social media pages

• In emails and letters

• In insurance claims or other documents

• In financial reviews and interviews

• In customer surveys

• If you take part in our competitions or promotions.

• If you nominate a beneficiary on your account you will need to get the consent of the person you are nominating.

• Payment and transaction data

• Prepaid card facilitators

• Credit reference agencies

• Insurers

• Fraud prevention agencies

• Payroll service providers

• Public information sources such as Companies House

• Government and law enforcement agencies

• Debt recovery agencies

Sharing Personal Information

• HM Revenue & Customs, regulators and other authorities

• UK Financial Services Compensation Scheme

• Credit reference agencies

• Fraud prevention agencies

• Insurance agencies

We may also need to share your personal information with other organisations to provide you the optimum benefits with the products and service you use with us:

• If you have a prepaid debit card with us, we will share transaction details with companies which help us to provide this service I.e. engage

• If you use direct debits, we will share your data with the Direct Debit scheme.

• If you apply for insurance through us, we may pass your personal details to the insurer

While countries in the European Economic Area all ensure rigorous data protection laws, there are parts of the world that may not be quite so rigorous and do not provide the same quality of legal protection and rights when it comes to your personal information.

The credit union does not directly send information to any country outside of the European Economic Area, however, any party receiving personal data may also process, transfer and share it for the purposes set out above and in limited circumstances this may involve sending your information to countries where data protection laws do not provide the same level of data protection as the UK .

For example, when complying with international tax regulations we may be required to report personal information to the HM Revenue and Customs which may transfer than information to tax authorities in countries where you or a connected person may be tax resident.

To process any credit applications that you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will share your personal information with CRAs and they will give us information about you.

• Name, address and date of birth

• Credit application

• Details of any shared credit

• Financial situation and history

• Public information, from sources such as the electoral register

• Assess whether you are able to make the repayments

• Make sure what you’ve told us is true and correct

• Manage accounts with us

• Trace and recover debts

We will go on sharing your personal information with CRAs for as long as you are a member and borrow with us. This will include details about your settled accounts and any debts not fully repaid on time. If you borrow, it will also include details of your repayments and whether you repay in full and on time. The CRAs may give this information to other organisations that want to check credit status. We will also tell the CRAs when you settle your accounts with us.

When we ask CRAs about you, they will note it on your credit file. This is called a credit search. Other lenders may see this, and we may see credit searches from other lenders.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail on:

• Who they are

• Their role as fraud prevention agencies

• The data they hold and how they use it

• How they share personal information

• How long they can keep data

• Your data protection rights.

Here are links to the information notice for each of the three main Credit Reference Agencies:

• CallCredit at www.callcredit.co.uk/crain

• Equifax at www.equifax.co.uk/crain

• Experian at www.experian.co.uk/crain

We will also exchange information about you for processing payment to your bank account when you require telephone or online withdrawals.

We will exchange information about you with our external auditors who will provide oversight that we are managing your account correctly.

We may use your personal information to tell you about products that are relevant to you. This is what we mean when we talk about ‘marketing’. The personal information we have for you is made up of what you tell us, and the information we collect when you use our services, or from third parties we work with.

We can only use your personal information to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business reason to use your information. It must not unfairly go against what is right and best for you. You can ask us to stop sending you marketing messages by contacting us at any time. Whatever you choose, you'll still receive statements, and other important information such as changes to your existing products and services. We may ask you to confirm or update your choices, if you take out any new products or services with us in future. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.

The credit union will need to hold your information. In many cases we will hold this information for a period of time after you have left the credit union in order to comply with operational and legal requirements, including General Data Protection Regulation legislation. If you require further information regarding our retention of your information, please ask at one of our offices.

Your rights under data protection regulations are:

(a) The right to access

(b) The right of rectification

(c) The right to erasure

(d) The right to restrict processing

(e) The right to data portability

(f) The right to object to data processing

(g) Rights related to automating decision-making and profiling

(h) Right to withdraw consent

(i) The right to complain to the Information Commissioner’s Office

Right to Access You have the right to access your personal information and details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal information. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. You can access your personal information by writing to Thistle Credit Union with a request or by using the request form on our website www.thistlecu.co.uk

You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal information about you completed.

In some circumstances you have the right to the erasure of your personal information without undue delay.

Those circumstances include:

• the personal information is no longer needed for the purpose it was originally processed

• you withdraw consent you previously provided to process the information

• you object to the processing under certain rules of data protection law

• the processing is for marketing purposes

• the personal information was unlawfully processed

However, you may not erase this data where we need it to meet a legal obligation or where it necessary for the establishment, exercise or defence of legal claims.

The Right to Restrict Processing In some circumstances you have the right to restrict the processing of your personal information.

Those circumstances are:

• You contest the accuracy of the personal information;

• processing is unlawful, but you oppose erasure;

• we no longer need the personal information for the purposes of our processing, but you require personal information for the establishment, exercise or defence of legal claims; and

• you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal Information.

We will only otherwise process it:

• with your consent

• for the establishment, exercise or defence of legal claims or

• for the protection of the rights of another natural or legal person;

You have the right to object to our processing of your personal information on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the information is necessary for the purposes of the legitimate interests pursued by us or by a third party.

If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal information for this purpose.

To the extent that the legal basis for our processing of your personal data is:

(a) consent; or

(b) that the processing is necessary for the performance of our contract with you

You have the right to receive your personal information from us in a commonly used and machinereadable format or instruct us to send this data to another organisation. This right does not apply where it would adversely affect the rights and freedoms of others.

Thistle Credit Union do not make automated processing for lending decisions every loan application made by you is looked at by our loan officers considering all the information that you have given us before an informed loan decision is made.

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data. You can contact them by:

1. Going to their website at: https://ico.org.uk

2. Phone on 0303 123 1113 3. Post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

For more information about how your rights apply to your membership of the credit union or to make a request under your rights you can contact us at the details below. We will aim to respond to your request or query within one month or provide an explanation of the reason for our delay.

Name: Thistle Credit Union Address: 252 Glasgow Road, Blantyre, Glasgow, South Lanarkshire, G72 0YH

Phone: 01698 711112

Email: staff@thistlecu.co.uk

We can update this Privacy Policy at any time and ideally you should check it regularly here www.thistlecu.co.uk for updates. We won’t alert you for every small change, but if there are any important changes to the Policy or how we use your information we will let you know and where appropriate ask for your consent.