This Privacy Notice is to provide you with information regarding the processing of information about you for account related purposes and other general purposes and to provide you with information on further processing that may be necessary where you apply for a loan with us.

 

Contact details

• Address: Ladywood Fire Station, Icknield Port Road, Ladywood, Birmingham, B16 ORA
• Phone: 0121 834 7999
• Email: enquiries@firesave.org
• Data Protection Officer: Stephen Newman
• ICO Registration Number: Z5574311

Firesave Credit Union is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal data about you during and after your relationship with us.

 

What personal data do we use?

 We may collect, store, and use the following categories of personal data about you:

• Your name, address, date of birth, email, telephone, financial data, status and history, transaction data; contract data, details of the credit union products you hold with us and have held with us, signatures, identification documents, salary, occupation, accommodation status, source of funds, Politically Exposed Status, mortgage details, previous addresses, spouse, partners, nominations, Tax Identification Numbers (TIN)/National Insurance numbers, passport details, driver licence, interactions with credit union staff and officers on the premises, by phone, or email, current or past complaints, CCTV footage, telephone answer voice recordings.

 

Purposes

The purposes for which we use your personal data: 

The credit union will use your personal data to assist it in carrying out the following:

• To open and maintain an account for you
• To meet our obligations to you under the Credit Union’s Rules
• To contact you in respect of your account and any product or service you avail of
• To comply with our legal obligations for example anti-money laundering, to identify connected borrowers
• Assessing your loan application and determining your creditworthiness for a loan;
• Verifying the information provided by you in the application;
• Conducting credit searches;
• Administering the loan, including where necessary, to take steps to recover the loan or enforce any security taken as part of the loan.
• Meeting legal and compliance obligations and requirements under the rules of the credit union.
• To comply with regulatory requirements to determine whether you are a connected borrower or related party borrower.
• Providing updates on our loan products and services by way of directly marketing to you.

 

We may also collect, store and use the following “special categories” of more sensitive personal data:

• Information about your health, including any medical condition, health and sickness (See Insurance for further details)

We need all the categories of information in the list above to allow us to; identify you, to contact you and in order that we perform our contract with you.

We also need your personal identification data to enable us to comply with legal obligations. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

 

Sensitive personal data

How we use particularly sensitive personal data

” Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:

• In limited circumstances, with your explicit written consent.
• Where we need to carry out our legal obligations and in line with our data protection policy.
• Where it is needed in the public interest, and in line with our data protection policy.

 

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Security

How secure is my information with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes unless they are deemed to be controllers in their own right. We only permit them to process your personal data for specified purposes and in accordance with our instructions. Usually, information will be anonymised but this may not always be possible. The recipient of the information will also be bound by confidentiality obligations.

 

If you fail to provide personal data

 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations.

 

Change of purpose

 You can be assured that we will only use your data for the purpose it was provided and in ways compatible with that stated purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

 

Profiling

We sometimes use systems to make decisions based on personal data we have (or are allowed to collect from others) about you. This information is used for anti-money laundering purposes and compliance with our legal duties in that regard.

 

Data Retention Periods

 We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was obtained, taking into account any legal/contractual obligation to keep it. Where possible we record how long we will keep your data, where that is not possible, we will explain the criteria for the retention period. This information is documented in our Retention Policy.

 

Once the retention period has expired, the respective data will be permanently deleted. Please see our retention periods below.

• CCTV footage which is used in the normal course of business (i.e. for security purposes for one month). (Unless require for compliance with a legal obligation.)
• Evidence of identity checks to be maintained for six years after an individual ceases to be a member of the credit union;
• Details of member transactions are retained in line with
  regulatory & legal requirements, typically for up to 10 years
• Loan application information is maintained for a period of six years from the discharge, final repayment or transfer of the loan and 12 years where the document is under seal;
• Forms and records will be retained in individual member files for six years after the relationship with the member has ended
• We record answer phone messages left outside of credit union opening hours. We do not retain the message and delete once the message has been dealt with. Therefore all answer phone messages are deleted within 4 days.

 

Third countries 

Planned data transmission to third countries

 There are no plans for a data transmission to third countries. This excludes data we may hold for backup purposes in the Republic of Ireland.

Updates to this notice

We will make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products. You can always find an up-to-date version of this notice on our website firesave.org or you can ask us for a copy.

 

Our use and sharing of your information

We will collect and use relevant information about you, your transactions, your use of our products and services, and your relationships with us. We will typically collect and use this information for the following purposes:

Fulfilling contract:

This basis is appropriate where the processing is necessary for us to manage your accounts and credit union services to you

Administrative Purposes: 

We will use the information provided by you, either contained in this form or any other form or application, for the purpose of assessing this application, processing applications you make and to maintaining and administer any accounts you have with the credit union.

Third parties

We may appoint external third parties to undertake operational functions on our behalf. We will ensure that any information passed to third parties conducting operational functions on our behalf will do so with respect for the security of your data and will be protected in line with data protection law.

 

Security

In order to secure repayment of the loan, it may be necessary to obtain security such as a charge on your property or other personal assets.

 

Credit Reference Agencies

When you apply for a loan, we share your personal information with credit reference agencies (CRAs) and receive information from them about your financial history. We do this to:

• assess your creditworthiness and product suitability
• verify your identity
• manage your account
• trace and recover debts
• prevent criminal activity and money laundering

We continue to exchange information with CRAs throughout our relationship, including about settled accounts and any debts not fully repaid on time.

What searches are made?

We check our own records, CRA records, and fraud prevention agency records. These searches leave a footprint on your credit file visible to other lenders. CRAs supply us with public information (including the electoral register) and shared credit and fraud prevention data.

Joint applications and financial associations

If you make a joint application or tell us about a spouse or financial associate, your records will be linked. These links remain until you successfully file for disassociation with the CRAs. Please ensure you have agreement from any third party before disclosing their information.

Fraud prevention

If you provide false or inaccurate information and we suspect fraud, we will record this and may share it with fraud prevention agencies and other organisations involved in crime prevention.

CRA privacy notices

The CRAs may retain information for up to six years after any credit agreement ends. Full details of how each CRA uses and shares your information are available in the Credit Reference Agency Information Notice (CRAIN):

• TransUnion: transunion.co.uk/legal/privacy-centre/pc-credit-reference
• Equifax: equifax.co.uk/privacy-hub/crain
• Experian: experian.co.uk/legal/crain

 

Third-party data processing

When we check your account this leaves a footprint on your credit file. Firesave Credit Union uses a company called NestEgg Ltd to process this data on our behalf. NestEgg Ltd provides an automated ‘decision’ to help the Credit Union make it easy for members to apply for loans and savings accounts. NestEgg Ltd is not responsible for making decisions, they do not see your personal information. Their software makes a recommendation to a loans officer.

 

When you apply for a loan and / or savings account up to five searches may appear on your credit file.  For the purposes of credit scoring, this will typically only affect your credit score as if one credit application were made.

 

Each of these five ‘footprints’ relate to the different sources of data being used to assess an application; these include the credit report itself and an affordability check. The Credit Union needs to prove the information belongs to you which is when an ID check is required. In cases where an application is made by a new member; the Credit Union will use an ID check and may also run a report to check ownership of any bank account details you may give us. These checks are required by law to prevent money laundering.

 

Some of these footprints will be in the name of NestEgg Ltd and others in the name of Firesave Credit Union.

 

Guarantors

As part of your loan conditions, we may make the requirement for the appointment of a guarantor a condition of your loan agreement in order that credit union ensures the repayment of your loan. Should your account go into arrears, we may need to call upon the guarantor to repay the debt in which case we will give them details of the outstanding indebtedness. If your circumstances change it may be necessary to contact the guarantor.

 

Electronic Payments

If you use our electronic payment services to transfer money into or out of your credit union account, by way of international transfers, direct debits or benefit payments, we are required to share your personal data with our electronic payment service provider.

 

Member Service

To help us improve our service to you, we may use information about your account to help us improve our services to you.

 

Our legal duty

This basis is appropriate when we are processing personal data to comply with UK or Northern Ireland Law

 

Tax liability

We may share information and documentation with domestic and foreign tax authorities to establish your liability to tax in any jurisdiction. Where a member is tax resident in another jurisdiction the credit union has certain reporting obligations to HM Revenue and Customs (HMRC) under the Common Reporting Standard. HMRC will then exchange this information with the jurisdiction of tax residence of the member. We shall not be responsible to you or any third party for any loss incurred as a result of us taking such actions. The legal basis upon which we do this is compliance with HM Revenue and Custom’s Automatic Exchange of Information standard. We may also share information in respect of dividends and interest payments to members to HMRC where required by law.

 

Regulatory and statutory requirements 

To meet our duties to regulators (the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a member. We may also share information with certain statutory bodies, the Financial Services Compensation Scheme (FSCS) and Financial Ombudsman Service (FOS) if required by law.

 

Anti-money laundering

Compliance with our anti-money laundering and combating terrorist financing obligations: 

The information provided by you will be used for compliance with our customer due diligence and screening obligations under anti-money laundering and combating terrorist financing obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and associated legislation.

 

Audit

To meet our legislative and regulatory duties to maintain audited financial accounts, we appoint an external auditor. We will allow the external auditor to see our records (which may include information about you) for these purposes.

 

Connected Party Borrowers

We are obliged further to regulatory obligations to identify where borrowers are connected in order to establish whether borrowers are acting to together to achieve an aggregate loan that exceeds the limits set out in our lending policy.

 

Legitimate interests

 A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.

  

Debt Collection

 Where you breach the loan agreement we may use the service of a debt collection agency, solicitors or other third parties to recover the debt. We will pass them details of the loan application in order that they make contact with you and details of the indebtedness in order that they recover the outstanding sums

CCTV

 We have CCTV footage installed on the premises with clearly marked signage. The purpose of this is for security.

 

Voice Recording

 We have messaging services which allow you to leave a message on answering machines in order for the correct person to get back to you. The purpose of this is for accuracy and quality in service.

 

Our legitimate interest

 The credit union, where appropriate will necessary take steps to recover a debt to protect the assets and equity of the credit union

 

Our legitimate interest

 With regard to the nature of our business, it is necessary to secure the premises, property herein and any staff/volunteers/members or visitors to the credit union.

 

Your Rights

Under the Data Protection Act 2018 and the UK Data Protection Regulations, you have certain rights regarding your data. These are:

• Right to be informed – This policy is one of ways in which the Firesave Credit Union informs you how and why we process your data
• Right of access – All Data Subjects have the right to quest access to all of the data we hold on them. Any Data Subject requests received will be reviewed and responded to within one calendar month of receipt of the request. Most requests will be fulfilled free of charge, however, the Firesave Credit Union reserve the right to charge a reasonable administration fee for any requests deemed to be excessive, unfounded or repetitive.
• Right of rectification – Should you find that any data we hold about you is incorrect, you can ask us to correct it and we will investigate and respond within one calendar month of receipt of the request.
• Right of erasure (also known as the ‘right to be forgotten’) – You can ask for your Personal Data to be erased permanently. All such requests will be responded to within one calendar month of the receipt of a request. Please note that, whilst we will always endeavour to fulfil requests, there may be some instances where this is not possible due to legal or regulatory reasons. We will always provide a full explanation in any such instances.
• Right to restrict processing – If you do not wish for your data to be erased, you may ask for it to be restricted so that we continue to hold it but not process it or use it in any way – we would essentially ‘archive’ your data. This is only applicable in certain circumstances, however we will look at all requests and respond within one calendar month of the receipt of a request.
• Right to data portability – All electronically held data can be transferred to another company in a structured, commonly used and machine readable format on request. Please note that this will only include the data you have provided to us and not any ancillary data produced as a result of the services we have created during the provision of our services or where that data includes information regarding a third party. All requests for moving data will be responded to within one calendar month of a request being received.
• Right to object – You can object to our processing data for the purposes of marketing, scientific/ historical research and statistics, or legitimate interests or in the performing of a task in the public interest /exercise of official authority (including profiling). All such requests shall be responded to within one calendar month
• Rights related to automated decision making, including profiling – The UK GDPR sets out specific rights in relation to automated decision making.
• Right to complain – You have the right to raise a complaint regarding the processing of your data or our response to a request under the above rights. As part of this, you also have the right to escalate your complaint to a supervisory authority. In respect of data handling, you have the right to escalate your complaint to the Information Commissioners Office (ICO). Please go to:
  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5

Version 1: January 2026