Data Protection Notice
The protection of your personal data is important to the BNP Paribas Group of which Creation Financial Services Limited and Creation Consumer Finance Limited are a part. To access the BNP Paribas Personal Data Privacy Charter please click here.
This notice provides you with detailed information relating to the protection of your personal data by Creation Financial Services Limited, Chadwick House, Blenheim Court, Solihull, West Midlands, B91 2AA and Creation Consumer Finance Limited, 4th – 6th floor Wellington Buildings, 2-4 Wellington Street, Belfast, BT1 6HT (‘we’ or ‘us’ or ‘our’ or ‘Creation’).
We are responsible, as a controller, for the processing of your personal data in relation to our activities. We are committed to keeping your personal information private and secure. To help protect your rights, this notice explains how your personal information is collated, used and shared and how it is used for marketing purposes. It will advise you on your rights to obtain your personal data, have it corrected or restricted, object to it being processed and the ability to complain if you are dissatisfied.
Information we collect
We collect your personal data to support us in providing you with a high standard of personalised products and services.
The information we collect may include:
- identification information (e.g. first name, surname, nationality, place and date of birth, gender, passport numbers, photograph, IP address and login credentials used to connect to our website and apps);
- contact information (e.g. postal address, email address and phone number);
- family information (e.g. marital status, number of dependants);
- banking, financial and transactional data (e.g. bank account details, credit card number, money transfers, assets, credit history, income and expenditure);
- data necessary to contest against over indebtedness
- customer call recordings will be collated for a short period of time
- some special categories of personal data such as about your health or your personal circumstances that you share with us to help manage your account
The data we use is either directly provided by you or it is obtained from the following sources:
- through our financial relationship with you, for example through the application process for our products and services;
- publications/databases made available by official authorities;
- our service providers e.g. our print partner or email distribution agency;
- third parties such as credit reference agencies, fraud prevention agencies, credit brokers, employers, family members (in the case of additional cardholders) and people appointed to act on your behalf
When you provide us with third party personal data like the examples listed above, please remember to inform the individuals providing the data that we process the personal data and direct them to the present Data Protection Notice. We will also provide them this information when possible (for instance if we don’t have their contact details, we will not be able to contact them).
In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship with such as prospective customers.
In the following section we describe how and why we use your personal data and draw your attention to some data processing we consider could be more impactful for you and, in some cases, may require your consent.
We use your information in a number of ways, for example:
A. To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including:
- prevention of money-laundering and financing of terrorism and complying with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) process (to identify you, verify your identity);
- compliance with legislation relating to sanctions and embargoes;
- fight against tax fraud and fulfilment of tax control and notification obligations;
- banking and financial regulations in compliance with which we:
- set up security measures in order to prevent abuse and fraud;
- detect transactions which deviate from the normal patterns;
- define your credit risk score and your reimbursement capacity;
- monitor and report risks that institution could incur;
- reply to an official request from a duly authorised public or judicial authority
B. To perform a contract with you or to take steps at your request before entering into a contract
We use your personal data to enter into and perform our contracts, including to:
- provide you with information regarding our products and services;
- assist you and answer your requests;
- evaluate if we can offer you a product or service and under which conditions
C. To fulfill our legitimate interest
We use your personal data in order to deploy and develop our products or services, to improve our risk management and to secure our legal rights, including:
- to search applications for credit at credit reference agencies;
- proof of transactions;
- fraud prevention;
- IT management, including infrastructure management (e.g. shared platforms) and business continuity and IT security;
- establishing individual statistical models, based on the analysis of transactions, for instance in order to help define your credit risk score;
- establishing aggregated statistics, tests and models, for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones;
- training of our personnel by recording phone calls to our call centres;
- improving the quality of our financial products or services;
- any proposed debt sale or securitisation
D. To provide you with personalised marketing communications about our products and services
Marketing - We may use your personal information to advise you about relevant products and offers (Marketing). We can only use your personal information for marketing if we have either your consent or a ‘legitimate interest’. Legitimate interest is where we have identified from a balancing test that there is a benefit in the information we provide to you as a customer. The balancing test undertaken for our marketing data processes is to ensure our marketing activities have fair and appropriate balance and that the processing does not override your interests and your rights.
We may ask you to confirm or update your marketing consent preferences if you take out any new products or services with us in future.
How to withdraw your consent
If you would like to change your marketing consent preferences or you would like to object or withdraw consent to the processing of your personal data, please do so by:
- accessing your online account manager, or
- call our Customer Services Team, or
- email us at firstname.lastname@example.org, or
- write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA.
To find out how we use and manage cookies please go to www.creation.co.uk/cookie-policy
Sharing your information
In order to fulfill our activities, we only share your personal data with:
- BNP Paribas Group entities (e.g. you can benefit from our full range of group products and services);
- service providers which perform services on our behalf (e.g. print agencies who deliver communications and debt collection agencies);
- independent agents, intermediaries or brokers;
- fraud prevention agencies and credit reference agencies for the purposes outlined in section ‘Sharing your data with Fraud Prevention and Credit Reference Agencies’ and 'Consequences of Processing' within this document;
- Irish credit bureau for applications undertaken in the Republic of Ireland;
- our retail partners to fulfil their legitimate interests in relation to the products/services linked to the credit;
- financial or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
- certain regulated professionals such as lawyers, notaries or auditors;
- any party connected with any proposed debt sale or securitisation (such parties may process your personal data with the aim of evaluating certain characteristics of yours on an automated basis (known as profiling)) or sale of our business or its assets or merger or re-organisation
Sharing your data with Fraud Prevention and Credit Reference Agencies
Before we provide services, goods or financing to you and during the course of your relationship with us, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Examples of the personal information that will be processed are:
- date of birth
- contact details
- financial information
- employment details
- device identifiers including IP address and vehicle details
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us by email at email@example.com or write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA.
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us by email at firstname.lastname@example.org or write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA.
In order to process your application we supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial situation and financial history. We do this to assess affordability, creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent fraud and criminal activity. We may also search the files of the Land Registry.
We will continue to exchange information about you with CRAs while you have a relationship with us, including about your settled accounts and any debts not fully repaid on time. Where you have a running account credit with us we may also make further periodic checks with CRAs to manage your account. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The CRAs will have to place a search footprint on your credit file when we make a search and this may be seen by other lenders.
Where an application for credit has been unsuccessful, we may retain the personal information that we need in order to aid our individual statistical models and credit scoring models. This may include further processing of your data with the CRAs solely for this purpose. We rely on the legal basis that it is our legitimate interest to do this. This potential processing should not affect your ability to obtain credit in future nor should it leave any further footprint with the CRAs. Should you wish to object to this particular processing of your data please forward your objection to www.creation.co.uk/data-subject-rights-request
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail within the links detailed below:
Trans Union (formerly Call Credit): www.transunion.co.uk/crain
In the circumstance where you are based in the Republic of Ireland (ROI) and you have applied for credit through your application process, your data will be shared with the Irish Credit Bureau (ICB) and Central Credit Register. Further information on the ICB and the CCR is available by accessing the link below:
Irish Credit Bureau: http://www.icb.ie/pdf/Fair Processing Notice.pdf
Central Credit Register: http://www.centralcreditregister.ie/borrower-area/data-protection
Transfer of Personal data outside the EEA
Countries within the European Economic Area (EEA) including the ROI, have similar standards of legal protection for your personal information. We may run your accounts and provide services from centres outside of the UK (such as France) or through Group entities and partners outside the EEA (such as USA or India). For countries outside of the UK and/or EEA who have adequate levels of data protection, your personal data will be transferred on this basis.
When transferring your personal data outside the UK we shall impose contractual obligations on the recipients of that data so that it is protected to the same standard as required in the UK. For ROI customers the data will be protected to the same standard as required in the EEA.
Whenever fraud prevention agencies transfer your personal data outside of the UK, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Holding your information
We will only keep your information for as long as we need to and where we have a legitimate reason to do so for example account maintenance or responding to customer queries. On account closure or after an unsuccessful credit application your data is held for six years. There may be instances where we are asked to retain information for longer due to legal or regulatory reporting requirements.
How to access your Personal Information
You can access your personal data we hold by contacting us by:
- telephone by calling 0121 712 5064;
- through your online account manager;
- write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA;
- email us at DSARRequests@Creation.co.uk.
Please do advise us of your telephone number and if applicable your Account/Agreement number (on your statement) on your correspondence and on receipt we will contact you by phone to verify your identify and to go through the details of your request. For further information on accessing your personal data, please go to www.creation.co.uk/data-subject-rights-request.
How to update your information
If you would like to change, amend, restrict and or erase your data to the extent permitted by law, please contact us by:
- email us at email@example.com;
- telephone by calling 0371 402 8910;
- write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA
How to complain
Our customers really matter to us and we are committed to providing you with a great customer experience. If issues do arise, our aim is to resolve them as quickly as possible and make sure you are satisfied with the outcome. To make a complaint please contact: Customer Enquiries by calling 0371 402 8910.
If for some reason we have not been able to resolve your complaint within eight weeks of receipt, or if you are not satisfied with our final response, UK customers can contact the Information Commissioner UK:
Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 01625 545745
Fax: 01625 524510
If for some reason we have not been able to resolve your complaint within eight weeks of receipt, or if you are not satisfied with our final response, ROI customers can contact our representative at:
For the Attention of: Chief Risk Officer, GREENVAL INSURANCE DAC, 10 -11 Trinity Point,
Leinster Street South, Dublin 2, D02 EF85
or, alternatively you can contact the Data Protection Commission:
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
By webform: https://forms.dataprotection.ie/contact
Your personal data is held in secure databases to protect it from theft or being altered. All access to these databases are controlled and monitored to ensure only authorised personnel have access to your data. When your data is sent to a third party that you have agreed to, the data is also sent in an encrypted format and the third party will use the same levels of encryption and security that we use. Our data processing estate is continually monitored and updated to ensure the level of security meets best industry practice and is in accordance with all the laws, regulations and standards required to protect your personal data.
Changes to our Data Protection Notice
We may need to regularly update this Data Protection Notice. The latest version of this notice is available online and we will inform you of any changes through our website or through our other communication channels.
How to contact us
If you have any questions relating to the use of your personal data under this Data Protection Notice, please contact our Data Protection Officer at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA.
This Data Protection Notice was last reviewed on 31 December 2020.