Triodos Bank UK Privacy Statement

What is personal data?

Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information.

Individuals are referred to as data subjects under data privacy legislation. A wide range of information constitutes personal data including names, contact information, identification numbers such as National Insurance numbers, financial information, employment details, and online identifiers often referred to as ‘cookies’ for example. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system.

The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing it for instance. This can be by both a Data Controller, or a Data Processor.

Your personal data will be held by Triodos Bank N.V in The Netherlands and by TBUK. You can find information on how to contact us as well as further information on what Triodos does, on our website.

TBUK has appointed a Data Privacy Officer (DPO) and any data privacy queries which cannot be resolved through the information provided on our website can be directed to them using the contact details included on our website.

The use of your personal data is covered by Triodos Bank’s registration with the UK Information Commissioner's Office; registration number Z6794013.

When you apply for a product or service with Triodos you will need to provide certain personal data to enable us to process your application, and to then provide the product or service you want on an on-going basis. Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

The General Data Protection Regulation (GDPR) legislation which applies across Europe, and the UK Data Protection Act (2018), only allow the processing of personal data if one or more conditions are met; this is known as a lawful basis for processing.

There are six lawful bases provided, which are included in the Glossary section. Triodos will only process your personal data for the reasons it was provided for, and only where there is a lawful basis for processing allowing this.

Special categories of personal data

Some personal data is classified as more sensitive under data privacy legislation. This includes information relating to health, racial or ethnic origin, religious or philosophical beliefs, political opinions, genetic and biometric data, sex life, sexual orientation and trade union membership. As this data is more sensitive, we need to have further justification for collecting, storing and using this type of personal data which means an additional lawful basis for processing (which are also included in the Glossary section).

We may process special categories of personal data in the following circumstances:

In limited circumstances with your explicit consent, in which case we will explain the purpose for which the personal data will be used at the point where we ask for your consent;
We will use information about your physical and mental health or disability status to comply with our legal and regulatory obligations, including to ensure you receive appropriate adjustments to any of our services where necessary.

What we use your personal data for	Why do we need to use your personal data and which lawful basis for processing is applicable?	What are our legitimate interests in using your personal data?
To manage our relationships with you and deliver our products and services	Fulfilling a contract we have agreed between us (contract) We are legally required to complete certain activities (legal obligation) Undertake activity for your and our legitimate interests (legitimate interests)	Keeping our records up to date Working our which of our products and services will be of interest to you Developing our products and services based on your use of them and any feedback. Informing you of relevant products and services that may be of interest tot you
To run our business properly and efficiently	We are legally required to complete certain activities (legal obligation) Fulfilling a contract we have agreed between us (contract) Undertake activity for your and our legitimate interests (legitimate interests)	Complying with our legal requirements Reviewing and improving how we deal with financial crime
To run our business properly and efficiently	We are legally required to complete certain activities (legal obligation) We have a legal duty to provide you with a fair and easy to understand service (legal obligation) Undertake activity for your and our legitimate interests (legitimate interests)	Complying with regulations that apply to us (such as those set by The Financial Conduct Authority – FCA or The Information Commissioner’s Office - ICO for instance) Being as efficient as we can and providing you with information you need

Triodos and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Triodos processes your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

Details of the personal data that will be processed include, your name, contact details such as your postal or email address and phone number(s), date of birth, financial information, employment details, device identifiers including an Internet Protocol (IP) address, or your National Insurance number for example. Triodos may also hold personal data about you throughout our relationship with you; the transactions you make using your current account or how you use our website for instance. We use different types of personal data and have grouped them into the following categories:

Category of personal data	Description
Contact information	How to contact you including where you live, your telephone number and you email address (where relevant).
Personal details	Personal information such as your gender, date of birth, or occupation.
Special categories of personal data	GDPR categorises certain sensitive personal information as ‘special category’ personal data; this includes information about your health, political opinions, or sexual orientation, or your biometric data (fingerprints or facial recognition) for instance. Triodos will not collect and use these types of data, unless there is a legal obligation to do so, or it is required to provide (or continue to provide) a product or service to you in accordance with legal or regulatory requirements.
National Identification numbers	A number or code given to you by a government authority to identify who you are, such as your UK National Insurance number.
Financial information	Financial information such as your bank account number and transaction history.
Contractual information	Details about the products or services we provide you.
Administrative information	Registration numbers and administrative reports.
Transactional information	How you use our products such as your bank account for example, how and where your debit card is used or what you use our Internet Banking services to do for instance. This information is used to help protect you from fraud and comply with our legal and regulatory obligations.
Socio-demographic data	What you do for a living, what communication channels you prefer to use; this information is used to help us ensure you receive the right information at the right time, using the right method of communication.

Where will your personal data be obtained from?

Triodos collects personal data that you provide when interacting with us, from companies we use to complete financial transactions, and if you have given us consent to do so through agreeing with our cookie statement on our website, registration of your online activities.

Data you have provided when you:

Apply for our products or services;
Talk to us on the phone or in person;
Use our websites or mobile device applications;
Subscribe to a newsletter or other marketing messages;
Send us e-mails or letters; or
Take part in financial reviews, interviews, customer surveys, competitions or promotional activities.

We may also obtain your personal data from other companies we deal with if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:

Companies that introduce you to us;
Card providers and associations such as Mastercard for example;
Credit Reference Agencies such as Experian;
Financial advisers or representatives;
Insurers;
Fraud prevention agencies such as CIFAS (Credit Industry Fraud Avoidance System);
Public information sources;
Agents working on our behalf;
Market researchers;
Medical practitioners; and
Government and law enforcement agencies.

Cookies

After you have given us consent we collect data from your personal electronic devices to register your online and mobile activities. We monitor data sessions to register your visits and use cookies to enable required functionality, increase the quality of our website or mobile services, optimise your personal experience and support promotional and direct marketing activities. You can read more about how we use cookies in the cookie statement included on our website.

Sharing your personal data

How will personal data be shared?

Triodos will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (even when you are no longer a customer). Information we hold about you will not be disclosed to anyone unless:

we are legally required to disclose the information. This includes sharing your information with tax authorities and law enforcement agencies such as HMRC or the police for example;
we need to disclose the information for the purposes of or in connection with any legal proceedings, or for the purposes of obtaining legal advice, or the disclosure is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
disclosure is required to protect our legitimate interests, or someone else's legitimate interests (for example, to prevent fraud);
the disclosure is made with your consent; and
disclosure is to a third party for the purposes of providing administrative or processing services on behalf of Triodos. If this is required, we will ensure that the third party protects your personal data in the same way that we do.

We may need to share your personal data with other organisations to provide you with the product or service you have chosen. For example:

Credit reference or identity verification agencies, such as Experian;
Agents who collect money from persons in debt;
Government authorities who are entitled to request your data;
Fraud prevention agencies and legal authorities;
Companies you ask us to share your data with;
If you have a debit card with us, we will share transaction details with companies which help us to provide this service such as Mastercard;
If you use direct debits, we will share your data with the Direct Debit scheme; and
If you have a loan with us, we may share information with other lenders who also hold a charge on the security.

When a third party processes your personal data on our behalf, we ensure that they follow our instructions to process and protect your personal data. Third parties are required to sign agreements in which they commit themselves to safeguard your personal data, agree to only use the data to provide services to us specifically outlined in the agreement, and follow our instructions.

Your personal data will be shared with the following categories of third parties for the purposes described:

Category of third parties:	Data types:	Purposes:
Administrative services	Contact information, personal details, financial/contractual/transactional information, biometric data for identification purposes	To provide you with the product or service you applied for
Market research and marketing communications companies	Contact information, socio-demographic information, personal details, financial information	To ensure that you receive the right marketing communications messages from us, at the right time and in the areas that you are interested in
Credit Reference Agencies	Contact information, personal details, financial/contractual/transactional information, biometric data for identification purposes	To help us make decisions and assess risk when considering your application for our products and services
Fraud Prevention Systems	Contact information, personal details, financial/contractual/transactional information	To help protect you from fraud
Governmental departments	Any information requested, once legal authority has been verified.	To fulfillour legal and regulatory obligations

Triodos’ default position is that we will not disclose or transfer personal data to organisations outside of the European Economic Area (‘EEA’). However, where this is required we will inform you and confirm why we need to do this.

When we do transfer personal data outside of the EEA, we will make sure that it is protected at the same level as within the EEA by using one of these safeguards:

Transfer data to organisations in non-EEA countries (or states or provinces of these countries) with privacy laws in place providing the same level of data privacy protection as within the EEA;
Transfer data to organisations that are part of Privacy Shield which is an international framework that sets privacy standards at a similar level as those of the EEA; or
Put a contract in place with the recipient ensuring that they will process the data with the same level of data protection as within the EEA.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

How we use your information to make automated decisions

We use external providers and Triodos systems to help us make some decisions about you or your business. This helps us to make sure our decisions are quick, fair, efficient and correct, and are based on up to date information. As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making, such as the right not to be subject to a decision based solely on automated processing and if you want to know more please contact us.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

We use your data to support decision-making in the following ways:

When you open an account with us, we check that the product or service is relevant for you, based on the data you have provided, and any reference information held by external providers. We check that you or your business meet our requirements to open an account. This may include verifying your identity and personal details such as your age, residency status, nationality and credit history

When you apply for credit we make a risk assessment to decide whether to lend you money. This risk assessment is based on the information included in your application, credit reference information we obtain externally and our analysis to help understand your financial situation. When approving credit, we ensure that decisions are never solely based on automated systems and that there is always a person involved to help make a sound, fair and unbiased decision.

When you apply for a product or service we are required to perform checks on the data you have provided about you and/or your business. We also check your credit history if you have applied for a product which includes credit facilities. Triodos shares the personal data you provide during your application with Credit Reference Agencies that help us with these checks. The data we exchange with the Credit Reference Agencies includes:

Contact information and personal details;
Credit application;
Details of any shared credit;
Financial situation and history; and
Information made available to the public e.g. electoral or commercial registers.
Assess what marketing communication messages we send you

We’ll use this data to:

Assess whether you or your business can afford repayments;
Make sure that what you’ve told us is true and correct;
Help detect and prevent fraud and money laundering;
Manage accounts with us; and
Trace and recover debts.

We share your data with Credit Reference Agencies for as long as you remain a customer. This will include details about any repaid or outstanding debts. It will also include details of funds going into the account, and the account balance. If you borrow money from us, it will also include details of your repayments and whether you repay in full and on time.

When Credit Reference Agencies receive a search request from us they will place a search footprint on your credit file that may be seen by other lenders.

The identities of the Credit Reference Agency used by Triodos, and the ways in which they use and share personal data, are explained in more detail at www.experian.co.uk/crain

We monitor financial activities to study and learn about our customers’ behaviour and needs, and to make decisions based on what we learn to improve our service quality and products. We put customers with similar activities into groups called customer segments. The use of customer segments helps us to design products and services that better suit our customers’ needs, and market them appropriately and effectively to customers who are likely to be interested in them.

We monitor your personal or business account to identify whether you may have been a victim of fraud. If we identify that there is a risk of fraud, we may stop financial transactions and temporarily block access to your account while this is investigated. You will be contacted and kept up to date during this process.

Fraud Prevention Agencies (FPA’s) and law enforcement agencies can legally access your personal data. In cooperation with these agencies, we use your personal data to confirm your identity before we provide products or services to you or your business. When Triodos and fraud prevention agencies process your personal data, processing is undertaken on the basis that there is a legitimate interest in preventing fraud and money laundering, and to verify your identity. This is to protect our business and to comply with laws that apply to us as a Bank. Such processing is also a contractual requirement of the services or financing you have requested.

Once you have become a customer, we share your personal data with these agencies to help detect, investigate, prevent and prosecute financial crime. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. Law enforcement agencies may keep files of criminal offences for up to 20 years.

If you choose not to provide your personal data

We may need to collect personal data by law such as your identity documents, or under the terms and conditions of a contract we have with you. If you choose not to provide us with, or choose to restrict the processing of, the information we need it may prevent us from meeting our contractual obligations and providing you with the product you have applied for.

This situation could result in the cancellation of a product or service you have with us or the termination of our contract with you. We will discuss this with you at the time before making any changes to your products or services.

Where personal data has been collected using your consent as the lawful basis for processing,you are free to withdraw your consent at any time and without any contractual or service delivery consequences other than the services you choose not to make use of.

Marketing communications

From time to time we will send you information about our products and services and the projects we lend to. We are careful not to send you information, or additional information about our services, where you do not want it. You can choose what information you want to receive when you apply for or open a product or service with us and you can change your communication preferences in Internet Banking or through the Triodos Crowdfunding website if you have registered, or by contacting us. You will also be provided with an opportunity to stop receiving information from us through an ‘unsubscribe’ link in any emails we may send you.

If you are not yet a customer of Triodos and want to receive marketing communications from us, you can request this through our website or by calling our contact team. You will be asked to provide us with your contact details and to give your consent for Triodos to use your personal data. You may withdraw your consent and unsubscribe from the marketing communications whenever you want. We will not give your personal data to anyone else for marketing purposes (other than those described above in ‘The use of your personal data by third parties’) without informing you and obtaining your consent.

Personal data used for marketing purposes consists of the personal data we have received from you, and data we have collected when you use our products or services. We only use your personal data to send you marketing communications if we have either a legitimate interest or your consent. A legitimate interest in a marketing context means that we will only send you marketing communications in relation to products or services that may be of interest to you based on what we already know about you. Our legitimate interests will always be balanced with your interests, and you can ask us at any time to stop sending you marketing communications.

What are your rights?

Your personal data is protected by legal rights. For more information or to exercise your data privacy rights, please contact us using the details included on our website.

Individuals or data subjects as they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. Organisations must provide individuals with certain information at the time personal data is collected. This Privacy Statement provides you with the information you are entitled to and we are required to give you.

You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly. You can request access to your personal data by completing our Personal data rights request form.

It is important that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.

You have right to request that we delete your personal data if:

your personal data is no longer needed in relation to the purposes for which was collected;
you withdraw your consent and there are no other legal bases to process your personal data;
you object to us processing your personal data for direct marketing purposes;
you object to us processing your personal data for the legitimate interests of Triodos;
you feel that your personal data is not being processed lawfully; and
your personal data needs to be deleted to comply with legal requirements.

As a financial services provider operating in the UK, Triodos needs to keep your personal data for a certain period of time to provide you with our financial products and services, and to remain compliant with legal and regulatory requirements.

You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Triodos is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Triodos has the right to store your personal data while your query is investigated.

You have the right to receive your personal data in a structured, commonly used and machine-readable format. We are looking at the best way to achieve this for our customers and will provide more information when it is available.

You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you decide to exercise this right, please contact us and we will consider your request; Triodos is legally allowed to continue to process your data if one of the following can be demonstrated:

compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
processing is required for the establishment, exercise or defence of legal claims.

As part of the processing of your personal data, some decisions may be made by automated means; we are authorised and required to do this to comply with UK legal and regulatory requirements to prevent and protect you from financial crime. Automated processing and decision making is the most appropriate way to meet these requirements.

You can challenge any decision you are not happy with and can ask us to reconsider any decision that was made solely by automated means; please use the contact details on our website. Any automated processing systems are regularly reviewed to ensure they are accurate.

Term	Definition
CIFAS - Credit Industry Fraud Avoidance System	A UK, not-for-profit fraud prevention service run on a membership association basis. CIFAS hold and exchange information both on known criminals, as well as innocent victims of fraud to help prevent further fraudulent activity.
Cookies	A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened. Cookies are used to identify users of webpages and to customise content where applicable.
Customer segments	Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.
Data Controller	An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.
Data Privacy Officer	A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.
Data Processor	An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.
Data Subject	An individual who can be identified from the personal data i.e. the person the data is about.
Direct Debit Scheme	A UK payment mechanism run by Bank Account Clearing System Payment Schemes Limited enabling electronic payments to be made once authorisation has been provided by the originator.
European Economic Area (EEA)	The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.
Experian	An independent UK organisation which helps other organisations identify and assess information about prospective customers. Experian holds both publicly available information from sources such as the Electoral Roll, as well as information provided by other organisations such as credit card providers and Banks who provide loans for example.
Financial Conduct Authority	A UK regulatory body operating independently of the UK Government, which oversees the regulation of conduct by financial services firms operating in the UK.
GDPR - General Data Protection Regulation	The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.
Information Commissioner’s Office (ICO)	The independent UK authority set up to uphold data privacy rights in the public interest.
Lawful basis for processing	One of six allowable lawful bases for processing must be satisfied for Triodos to process your personal data. The six lawful bases are: Consent - the individual has given clear consent Contract - processing is necessary for a contract to be provided Legal obligation - processing is necessary to comply with the law Protect life - processing is necessary to protect someone’s life Public interest - processing is necessary to perform a task in the public interest Legitimate interest - processing is necessary for Triodos’ legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual's data which overrides these legitimate interests.
Lead Supervisor	Triodos operates across Europe in the UK, France, Belgium, Germany, Spain and The Netherlands. The Group headquarters are in The Netherlands, which means that the main data privacy supervisory body is the Dutch Data Protection Supervisory Authority. TBUK also follows UK data privacy requirements set by the UK government and the ICO.
Legitimate interests	The business reason for Triodos to use your information. It must not conflict unfairly with your rights and interests. GDPR specifically mentions several examples of legitimate interests such as the prevention of fraud, marketing customers could reasonably expect to receive, or IT security for instance.
Personal Data	Any information relating to an identified or identifiable natural person (an individual).
Privacy Shield	A framework for transatlantic exchanges of personal data between the European Union (EU) and the United States of America (USA). It was designed to provide organisations on both sides with a mechanism compliant with data privacy requirements when transferring personal data from the EU to the USA.
Special Categories of Personal Data	Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation. Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing are required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data: explicit consent processing is necessary for meeting obligations under employment, social security and social protection law processing is necessary to protect the vital interests of someone who is unable to provide consent processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation processing relates to personal data which has been disclosed by the individual processing is necessary in connection with legal claims processing is necessary for substantial public interest processing is necessary for preventative or occupational health processing is necessary for public interest in the area of public health processing is necessary for archiving purposes in the public interest such as scientific, historic or statistical research
Third parties	Organisations external to Triodos who undertake services and activity on our request such as our business partners, suppliers and affiliates.

Triodos Bank UK Privacy Statement

What is personal data?

Sharing your personal data

What are your rights?

Term

Definition

Your personal cookie settings