CIFAS - Credit Industry Fraud Avoidance System
A UK, not-for-profit fraud prevention service run on a membership association basis. CIFAS hold and exchange information both on known criminals, as well as innocent victims of fraud to help prevent further fraudulent activity.
A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened.
Cookies are used to identify users of webpages and to customise content where applicable.
Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.
An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.
Data Privacy Officer
A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.
An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.
An individual who can be identified from the personal data i.e. the person the data is about.
Direct Debit Scheme
A UK payment mechanism run by Bank Account Clearing System Payment Schemes Limited enabling electronic payments to be made once authorisation has been provided by the originator.
European Economic Area (EEA)
The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.
An independent UK organisation which helps other organisations identify and assess information about prospective customers. Experian holds both publicly available information from sources such as the Electoral Roll, as well as information provided by other organisations such as credit card providers and Banks who provide loans for example.
Financial Conduct Authority
A UK regulatory body operating independently of the UK Government, which oversees the regulation of conduct by financial services firms operating in the UK.
GDPR - General Data Protection Regulation
The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.
Information Commissioner’s Office (ICO)
The independent UK authority set up to uphold data privacy rights in the public interest.
Lawful basis for processing
One of six allowable lawful bases for processing must be satisfied for Triodos to process your personal data. The six lawful bases are:
- Consent - the individual has given clear consent
- Contract - processing is necessary for a contract to be provided
- Legal obligation - processing is necessary to comply with the law
- Protect life - processing is necessary to protect someone’s life
- Public interest - processing is necessary to perform a task in the public interest
- Legitimate interest - processing is necessary for Triodos’ legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual's data which overrides these legitimate interests.
Triodos operates across Europe in the UK, France, Belgium, Germany, Spain and The Netherlands. The Group headquarters are in The Netherlands, which means that the main data privacy supervisory body is the Dutch Data Protection Supervisory Authority.
TBUK also follows UK data privacy requirements set by the UK government and the ICO.
The business reason for Triodos to use your information. It must not conflict unfairly with your rights and interests. GDPR specifically mentions several examples of legitimate interests such as the prevention of fraud, marketing customers could reasonably expect to receive, or IT security for instance.
Any information relating to an identified or identifiable natural person (an individual).
A framework for transatlantic exchanges of personal data between the European Union (EU) and the United States of America (USA). It was designed to provide organisations on both sides with a mechanism compliant with data privacy requirements when transferring personal data from the EU to the USA.
Special Categories of Personal Data
Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.
Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing are required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data:
- explicit consent
- processing is necessary for meeting obligations under employment, social security and social protection law
- processing is necessary to protect the vital interests of someone who is unable to provide consent
- processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation
- processing relates to personal data which has been disclosed by the individual
- processing is necessary in connection with legal claims
- processing is necessary for substantial public interest
- processing is necessary for preventative or occupational health
- processing is necessary for public interest in the area of public health
- processing is necessary for archiving purposes in the public interest such as scientific, historic or statistical research
Organisations external to Triodos who undertake services and activity on our request such as our business partners, suppliers and affiliates.