The Triodos Bank UK (TBUK) Privacy Statement sets out your rights and the measures TBUK will take to protect your personal data. This includes how we will use your information, what rights you have, and how the law protects you as an individual. TBUK is a Data Controller as defined under data privacy legislation.
Triodos will review and amend this privacy statement from time to time. You can always find the most up to date version on our website www.triodos.co.uk. Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.
Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information. Individuals are referred to as Data Subjects under data privacy legislation. A wide range of information constitutes personal data including names, contact information, identification numbers such as National Insurance numbers, and online identifiers often referred to as 'cookies' for example. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system.
The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing it for instance. This can be by both a Data Controller, or a Data Processor.
Your personal data will be held by Triodos Bank N.V in The Netherlands and by TBUK. You can find information on how to contact us as well as further information on what Triodos does, on our website. TBUK has appointed a Data Privacy Officer (DPO) and any data privacy queries which cannot be resolved through the information provided on our website can be directed to them using the contact details included on our website.
The use of your personal data is covered by Triodos Bank's registration with the UK Information Commissioner's Office; registration number Z6794013.
When you apply for a product or service with Triodos you will need to provide certain personal data to enable us to process your application, and to then provide the product or service you want on an on-going basis. For example, your name, contact details such as your email address and phone number(s), addresses, or your National Insurance number. Triodos may also hold personal data about you throughout our relationship with you; the transactions you make using your current account or how you use our website for instance.
The General Data Protection Regulation (GDPR) legislation which applies across Europe only allows the processing of personal data if one or more conditions are met; this is known as a lawful basis for processing. There are six lawful bases provided under GDPR, which are included in the Glossary section. Triodos will only process your personal data for the reasons it was provided for, and only where there is a lawful basis for processing allowing this.
|What we use your personal data for?||Why do we need to use your personal data and which lawful basis for processing is applicable?||What are our legitimate interests in using your personal data?|
|To manage our relationship with you and deliver our products and services|| Fulfilling a contract we have agreed between us (contract)
We are legally required to complete certain activities (legal obligation)
Undertake activity for your and our legitimate interests (legitimate interests)
| Keeping our records up to date |
Working out which of our products and services will be of interest to you
Developing our products and services based on your use of them and any feedback
Informing you of relevant products and services that may be of interest to you
|To detect, investigate, report and try to prevent financial crime|| We are legally required to complete certain activities (legal obligation)
Fulfilling a contract we have agreed between us (contract)
Undertake activity for your and our legitimate interests (legitimate interests)
| Complying with our legal requirements |
Reviewing and improving how we deal with financial crime
|To run our business properly and efficiently|| We are legally required to complete certain activities (legal obligation)
We have a legal duty to provide you with a fair and easy to understand service (legal obligation)
Undertake activity for your and our legitimate interests (legitimate interests)
| Complying with regulations that apply to us (such as those set by The Financial Conduct Authority - FCA or The Information Commissioner's Office - ICO for instance)|
Being as efficient as we can and providing you with information you need
We use different types of personal data and have grouped them into the following categories:
|Category of personal data||Description|
|Contact information||How to contact you including where you live, your telephone number and you email address (where relevant).|
|Personal details||Personal information such as your gender, date of birth, or occupation.|
|Special categories of personal data||GDPR categorises certain sensitive personal information as 'special category' personal data; this includes information about your health, political opinions, or sexual orientation for instance. Triodos will not collect and use these types of data, unless there is a legal obligation to do so, or it is required to provide (or continue to provide) a product or service to you in accordance with legal or regulatory requirements.|
|National Identification numbers||A number or code given to you by a government authority to identify who you are, such as your UK National Insurance number.|
|Financial information||Financial information such as your bank account number and transaction history.|
|Contractual information||Details about the products or services we provide you.|
|Administrative information||Registration numbers and administrative reports.|
|Transactional information||How you use our products such as your bank account for example, how and where your debit card is used or what you use our Internet Banking services to do for instance. This information is used to help protect you from fraud and comply with our legal and regulatory obligations.|
|Socio-demographic data||What you do for a living, what communication channels you prefer to use; this information is used to help us ensure you receive the right information at the right time, using the right method of communication.|
Triodos collects personal data that you provide when interacting with us, from companies we use to complete financial transactions, and if you have given us consent to do so through agreeing with our cookie statement on our website, registration of your online activities. Personal data that we have collected from you will include data you have provided when you:
We may also obtain your personal data from other companies we deal with if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:
Triodos will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (even when you are no longer a customer). Information we hold about you will not be disclosed to anyone unless:
We may need to share your personal data with other organisations to provide you with the product or service you have chosen. For example:
A record of any fraud or money laundering risk will be retained by fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us.
If false or inaccurate information is provided and fraud is identified, then details will be passed to fraud prevention agencies:
We and other organisations may access and use the information recorded by fraud prevention agencies, including in other countries. Please contact us if you want to receive details of the relevant fraud prevention agencies.
When a third party processes your personal data on our behalf, we ensure that they follow our instructions to process and protect your personal data. Third parties are required to sign agreements in which they commit themselves to safeguard your personal data, agree to only use the data to provide services to us specifically outlined in the agreement, and follow our instructions.
Your personal data will be shared with the following categories of third parties for the purposes described:
|Category of third parties:||Data type:||Purposes:|
Contact information, personal details, financial / contractual / transactional information
|To provide you with the product or service you applied for|
|Market research and marketing communications companies||Contact information, socio-demographic information, personal details, financial information||To ensure that you receive the right marketing communication messages from us, at the right time and in areas that you are interested in.|
|Credit Reference Agencies||Contact information, personal details, financial / contractual / transactional information||To help us make decisions and assess risk when considering your application for our products or services|
|Fraud Prevention Systems||Contact information, personal details, financial / contractual / transactional information||To help protect you from fraud|
|Governmental departments||Any information requested, once legal authority has been verified.||To fulfil our legal and regulatory obligations|
Triodos' default position is that we will not disclose or transfer personal data to organisations outside of the European Economic Area ('EEA'). However, where this is required we will inform you and confirm why we need to do this. When we do transfer personal data outside of the EEA, we will make sure that it is protected at the same level as within the EEA by using one of these safeguards:
We use external providers and Triodos systems to help us make some decisions about you or your business. This helps us to make sure our decisions are quick, fair, efficient and correct, and are based on up to date information. These decisions can affect the products, services or features we may offer you now or in the future. In case a decision produces legal effects such as changing a contract we offer you (or similarly affects you), you have the right not to be subject to a decision based solely on automated processing. We use your data to support decision-making in the following ways:
When you open an account with us, we check that the product or service is relevant for you, based on the data you have provided, and any reference information held by external providers. We check that you or your business meet our requirements to open an account. This may include verifying your identity and personal details such as your age, residency status, nationality and credit history.
When you apply for credit we make a risk assessment to decide whether to lend you money. This risk assessment is based on the information included in your application, credit reference information we obtain externally and our analysis to help understand your financial situation. When approving credit, we ensure that decisions are never solely based on automated systems and that there is always a person involved to help make a sound, fair and unbiased decision.
When you apply for a product or service we are required to perform checks on the data you have provided about you and/or your business. We also check your credit history if you have applied for a product which includes credit facilities. Triodos shares the personal data you provide during your application with Credit Reference Agencies that help us with these checks. The data we exchange with the Credit Reference Agencies includes:
We'll use this data to:
We share your data with Credit Reference Agencies for as long as you remain a customer. This will include details about any repaid or outstanding debts. It will also include details of funds going into the account, and the account balance. If you borrow money from us, it will also include details of your repayments and whether you repay in full and on time.
When Credit Reference Agencies receive a search request from us they will place a search footprint on your credit file that may be seen by other lenders.
The identities of the Credit Reference Agency used by Triodos, and the ways in which they use and share personal data, are explained in more detail at www.experian.co.uk/crain
We monitor financial activities to study and learn about our customers' behaviour and needs, and to make decisions based on what we learn to improve our service quality and products. We put customers with similar activities into groups called customer segments. The use of customer segments helps us to design products and services that better suit our customers' needs, and market them appropriately and effectively to customers who are likely to be interested in them.
We monitor your personal or business account to identify whether you may have been a victim of fraud. If we identify that there is a risk of fraud, we may stop financial transactions and temporarily block access to your account while this is investigated. You will be contacted and kept up to date during this process.
Fraud Prevention Agencies (FPA's) and law enforcement agencies can legally access your personal data. In cooperation with these agencies, we use your personal data to confirm your identity before we provide products or services to you or your business. When Triodos and fraud prevention agencies process your personal data, processing is undertaken on the basis that there is a legitimate interest in preventing fraud and money laundering, and to verify your identity. This is to protect our business and to comply with laws that apply to us as a Bank.
Once you have become a customer, we share your personal data with these agencies to help detect, investigate, prevent and prosecute financial crime. These agencies may keep your personal data for up to 10 years depending on their findings and (inter-) national legal requirements. Law enforcement agencies may keep files of criminal offences for up to 20 years.
If Triodos, or a fraud prevention agency, determine that you pose a fraud or money laundering risk we may refuse to provide the products or services you have requested, or we may stop providing existing products and/or services to you.
We may need to collect personal data by law such as your identity documents, or under the terms and conditions of a contract we have with you. If you choose not to provide us with, or choose to restrict the processing of, the information we need it may prevent us from meeting our contractual obligations and providing you with the product you have applied for. This situation could result in the cancellation of a product or service you have with us or the termination of our contract with you. We will discuss this with you at the time before making any changes to your products or services.
Where personal data has been collected using your consent as the lawful basis for processing, you are free to withdraw your consent at any time and without any contractual or service delivery consequences other than the services you choose not to make use of.
From time to time we will send you information about our products and services and the projects we lend to. We are careful not to send you information, or additional information about our services, where you do not want it. You can choose what information you want to receive when you apply for or open a product or service with us and you can change your communication preferences in Internet Banking or through the Triodos Crowdfunding website if you have registered, or by contacting us. You will also be provided with an opportunity to stop receiving information from us through an 'unsubscribe' link in any emails we may send you.
If you are not yet a customer of Triodos and want to receive marketing communications from us, you can request this through our website or by calling our contact team. You will be asked to provide us with your contact details and to give your consent for Triodos to use your personal data. You may withdraw your consent and unsubscribe from the marketing communications whenever you want. We will not give your personal data to anyone else for marketing purposes (other than those described above in 'The use of your personal data by third parties') without informing you and obtaining your consent.
Personal data used for marketing purposes consists of the personal data we have received from you, and data we have collected when you use our products or services. We only use your personal data to send you marketing communications if we have either a legitimate interest or your consent. A legitimate interest in a marketing context means that we will only send you marketing communications in relation to products or services that may be of interest to you based on what we already know about you. Our legitimate interests will always be balanced with your interests, and you can ask us at any time to stop sending you marketing communications.
As long as you are a customer of Triodos we will process your personal data to provide you with the products and services you have asked us to provide. After you end your contract with Triodos we may retain some or all of your personal data for up to 12 years (depending on the products or services you took out) for one or more of these reasons:
We may keep your personal data for longer than 12 years if we cannot delete it for legal, regulatory or technical reasons. Personal data will be retained with the utmost care and security measures will be applied to ensure your privacy and security are maintained.
GDPR entitles you to several rights in relation to your personal data, you can contact us using this form.
Individuals or data subjects as they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. Organisations must provide individuals with certain information at the time personal data is collected. This Privacy Statement provides you with the information you are entitled to and we are required to give you.
You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly. You can request access to your personal data through our website.
It is important that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.
You have right to request that we delete your personal data if:
a) your personal data is no longer needed in relation to the purposes for which was collected;
b) you withdraw your consent and there are no other legal bases to process your personal data;
c) you object to us processing your personal data for direct marketing purposes;
d) you object to us processing your personal data for the legitimate interests of Triodos;
e) you feel that your personal data is not being processed lawfully; and
f) your personal data needs to be deleted to comply with legal requirements.
As a financial services provider operating in the UK, Triodos needs to keep your personal data for a certain period of time to provide you with our financial products and services, and to remain compliant with legal and regulatory requirements.
You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Triodos is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Triodos has the right to store your personal data while your query is investigated.
You have the right to receive your personal data in a structured, commonly used and machine-readable format. We are looking at the best way to achieve this for our customers and will provide more information when it is available.
You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you decide to exercise this right, please contact us and we will consider your request; Triodos is legally allowed to continue to process your data if one of the following can be demonstrated:
a) compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
b) processing is required for the establishment, exercise or defence of legal claims.
Triodos does not undertake any processing which includes decisions made by solely automated means, including profiling.
Please contact us in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website. You also have the right to lodge a complaint directly with the ICO; please visit their website (https://ico.org.uk/for-the-public/) for further details on how to do this.
If you choose, you can also lodge a complaint with the Dutch Data Protection Supervisory Authority (Autoriteit Persoonsgegevens); they are the lead supervisor for data privacy for Triodos. Please visit their website (https://autoriteitpersoonsgegevens.nl/en) for further details.
|CIFAS - Credit Industry Fraud Avoidance System||A UK, not-for-profit fraud prevention service run on a membership association basis. CIFAS hold and exchange information both on known criminals, as well as innocent victims of fraud to help prevent further fraudulent activity.|
|Cookies|| A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened. |
Cookies are used to identify users of webpages and to customise content where applicable.
|Customer segments||Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.|
|Data controller||An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.|
|Data Privacy Officer||A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.|
|Data Processor||An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.|
|Data Subject||An individual who can be identified from the personal data i.e. the person the data is about.|
|Direct Debit Scheme||A UK payment mechanism run by Bank Account Clearing System Payment Schemes Limited enabling electronic payments to be made once authorisation has been provided by the originator.|
|European Economic Area (EEA)||The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.|
|Experian||An independent UK organisation which helps other organisations identify and assess information about prospective customers. Experian holds both publicly available information from sources such as the Electoral Roll, as well as information provided by other organisations such as credit card providers and Banks who provide loans for example.|
|Financial Conduct Authority||A UK regulatory body operating independently of the UK Government, which oversees the regulation of conduct by financial services firms operating in the UK.|
|GDPR - General Data Protection Regulation||The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.|
|Information Commissioner's Office (ICO)||The independent UK authority set up to uphold data privacy rights in the public interest.|
|Lawful basis for processing||
One of six allowable lawful bases for processing must be satisfied for Triodos to process your personal data. The six lawful bases are:
|Lead Supervisor|| Triodos operates across Europe in the UK, France, Belgium, Germany, Spain and The Netherlands. The Group headquarters are in The Netherlands, which means that the main data privacy supervisory body is the Dutch Data Protection Supervisory Authority. |
TBUK also follows UK data privacy requirements set by the UK government and the ICO.
|Legitimate interests||The business reason for Triodos to use your information. It must not conflict unfairly with your rights and interests. GDPR specifically mentions several examples of legitimate interests such as the prevention of fraud, marketing customers could reasonably expect to receive, or IT security for instance.|
|Personal Data||Any information relating to an identified or identifiable natural person (an individual).|
|Privacy Shield||A framework for transatlantic exchanges of personal data between the European Union (EU) and the United States of America (USA). It was designed to provide organisations on both sides with a mechanism compliant with data privacy requirements when transferring personal data from the EU to the USA|
|Special Categories of Personal Data||
Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.
|Third parties||Organisations external to Triodos who undertake services and activity on our request such as our business partners, suppliers and affiliates.|