We will explain how we use any personal data we collect about you or that you provide to us.
- “Cynergy Bank Group” means Cynergy Bank Limited and its group entities;
- “Bank of Cyprus Group” means Bank of Cyprus Public Company Limited and its group entities.
The following Cynergy Bank Group companies will act as a data controller where you hold a product or service with them. Please refer to your product documentation. Any references to “we, us, our” means either:
- Cynergy Bank Limited - registered in England and Wales as company number 04728421.
- Cynergy Business Finance Limited - registered in England and Wales as company number 13322121.
- Cynergy Connect Technologies Limited - registered in England and Wales as company number 12779777.
If you are applying Asset Based Lending, then please note Cynergy Bank are in the process of setting up a specific Asset Based Lending business within our group structure which is registered at Companies House as Cynergy Business Finance Limited, a business which specialises exclusively in servicing Asset Based Lending clients. All agreements will initially be entered in to with Cynergy Bank Limited and this means your personal data will then be transferred to Cynergy Business Finance Limited when the business set up is complete.
Please note that Cynergy Business Finance Limited and Cynergy Connect Technologies Limited are both subsidiaries of Cynergy Bank Limited and your personal data may be passed to Cynergy Bank for reporting purposes.
If you applied for a Coronavirus Business Interruption Loan (CBILS) or are applying for the Recovery Loan Scheme (RLS) with Cynergy Bank Limited, please note the following:
Categories of Personal Data that we process
If you apply for any product with us we generally always collect:
- Your financial details such as your salary or other income;
Your title, name, home address and address history as well as contact details such as telephone and mobile numbers and email address;
- National Insurance and Tax Identification number (TIN) used for identification purposes and for use with ISA's;
- Date of birth;
- Nationality and tax residence in order to comply with our legal and regulatory obligations;
- Other details regarding proof of residency such as utility and passport information which we retain on our file;
- Information regarding your employment status and your employers identity;
- If you are opening an online account, your IP and MAC address as relevant;
- Personal data about you which is obtained from third parties (such as credit reference agencies where you have applied for an overdraft or other credit facilities connected with your account, fraud prevention agencies and such publicly available sources such as the electoral roll and in some cases records of debt judgements and bankruptcy information - for further details see the Credit Reference Agencies section;
- Any other information you give to us or our agents.
You must show this privacy notice to the other applicant(s) and obtain confirmation from them that they know you share their information with us for the purpose described and where necessary obtain their consent for us to process their personal details.
If you are a prospective customer, or a non-customer counterparty in a transaction of a customer (e.g. account or payment authorisation (by SWIFT or not) and over-the-counter transactions) or prospective security provider (e.g. a guarantor for a credit facility) or an authorised representative/agent or beneficial owner of a legal entity or of a natural person which/who is a prospective customer, the relevant personal data which we collect may include:
Name, address, contact details (telephone, email), EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, if you hold/held a prominent public function (for PEPs), FATCA / CRS info and authentication data.
Current Account applications
When you apply for a Current Account we will require current income and expenses, employment position and history, property ownership and personal debts, number of dependent children, personal investments and investment income, other banking relationship details, tax residence and tax ID, credit reference agency data, residence or work permit in case of non-EU nationals.
For individuals who will be providing their personal guarantees, the Bank will request personal data disclosing their economic and financial background and credit reference agency data.
We understand the importance of protecting children's privacy. We may collect personal data in relation to children only provided that we have first obtained their parents' or legal guardian's consent or unless otherwise permitted under law. We do not provide any online services to children but we may allow children, with their parents' or legal guardian's consent, to access accounts opened for their benefit on the Bank's online banking system in order to view their account balances. For the purposes of this privacy statement, "children" are individuals who are under the age of eighteen (18) years.
When you apply for a mortgage we will require current income and expenses, employment position and history, property ownership and personal debts, number of dependent children, personal investments and investment income, life insurances (life insurance companies, policy numbers, current surrender values), other banking relationship details, tax residence and tax ID, residence or work permit in case of non-EU nationals.
We carry out credit and identity checks when you apply for a product or services for you or your business. See our section on Credit Referencing Agencies for more information. However, some of our identity checks will be done by Jumio Corporation, based in California, USA. We will therefore, need to share your personal data with them. Please see the section on the Transfer of your personal data to a third country or to an international organisation below. Such personal data can include:
- Date of birth
- identification image – including a ‘selfie’ image and identity photo documents such as a driving license
- Email address
- IP address
For more information on how Jumio Corporation processes your data, please visit: https://www.jumio.com/legal-information/privacy-policy/jumio-corp-privacy-policy-for-online-services/
Automated Decision Making
As a part of the identity check, a decision to process your application may be made without human involvement and based on technological means. This will occur where the photo on an identity document is compared with a ‘selfie’ to verify the person making the application is the owner of the identity document.
Credit Reference Agencies
We carry out credit and identity checks when you apply for a product or services for you or your business. We may use Credit Reference Agencies to help us with this.
If you use our services, from time to time we may also search information that the Credit Reference Agencies have, to help us manage those accounts.
We will share your personal data with Credit Reference Agencies and they will give us information about you such as missed payments on other accounts you hold. The data we exchange can include:
- Name, address and date of birth
- Credit application
- Details of any shared credit
- Financial situation and history
- Public information, from sources such as the electoral register and Companies House.
We'll use this data to:
- Assess whether you or your business is able to afford to make repayments
- Make sure what you've told us is true and correct
- Help detect and prevent financial crime
- Manage accounts with us
- Trace and recover debts
- Verify your identity and your address
- Make sure that we tell you about relevant offers; and
- Ensure any offers provided to you are appropriate to your circumstances.
If you apply for a product with someone else, we will link your records with theirs. We will do the same if you tell us you have a spouse, partner or civil partner – or that you are in business with other partners or directors.
When Credit Reference Agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
You should tell them about this before you apply for a product or service. It is important that they know your records will be linked together, and that credit searches may be made on them.
We will go on sharing your personal data with Credit Reference Agencies for as long as you are a customer. This will include details about your settled accounts and any debts not fully repaid on time. It will also include details of funds going into the account, and the account balance. If you borrow, it will also include details of your repayments and whether you repay in full and on time. The Credit Reference Agencies may give this information to other organisations that want to check your credit status. We will also tell the Credit Reference Agencies when you settle your accounts with us.
Credit Reference Agencies will also link your records together. These links will stay on your files unless one of you asks the Credit Reference Agencies to break the link. You will normally need to give proof that you no longer have a financial link with each other.
You can find out more about the Credit Reference Agencies on their websites, in the Credit Reference Agency Information Notice (CRAIN) which sets out how your data will be processed by Callcredit, Equifax and Experian. Please go to www.equifax.co.uk/crain, www.callcredit.co.uk/crain or www.experian.co.uk/crain/index to read the notice in full. This includes details about:
- Who they are
- Their role as fraud prevention agencies
- The data they hold and how they use it
- How they share personal data
- How long they can keep data
- Your data protection rights
Here are links to the information notice for each of the three main Credit Reference Agencies:
Fraud Prevention Agencies
We may need to confirm your identity before we provide products or services to you or your business. Once you have become a customer of ours, we will also share your personal data as needed to help detect fraud and money-laundering risks. We use Fraud Prevention Agencies (FPA) such as CIFAS and National Hunter to help us with this, and if false or inaccurate information is provided and fraud identified, details will be passed to Fraud Prevention Agencies to prevent money laundering.
Both we and Fraud Prevention Agencies can only use your personal data if we have a proper reason to do so. It must be needed either for us to obey the law, or for a ‘legitimate interest'.
A legitimate interest is when we have a business or commercial reason to use your information. This must not unfairly go against what is right and best for you.
We will use the information to:
- Confirm identities
- Help prevent fraud and money-laundering
- Fulfil any contracts you or your business has with us
We or a Fraud Prevention Agency may allow law enforcement agencies to access your personal data. This is to support their duty to detect, investigate, prevent and prosecute crime.
FPAs can keep personal data for different lengths of time. They can keep your data for up to six years if they find a risk of fraud or money-laundering.
The information we use
These are some of the kinds of personal information that we use:
- Date of birth
- Residential address
- History of where you have lived
- Contact details, such as email addresses and phone numbers
- Financial data
- Data relating to your or your business products or services
- Employment details
- Data that identifies computers or other devices you use to connect to the internet. This includes your Internet Protocol (IP) address
Why we process your personal data and on what legal basis
We are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the General Data Protection Regulation (GDPR) and the local data protection law for one or more of the following reasons:
- For the performance of a contract
We process personal data in order to perform banking transactions and offer financial services based on contracts with our customers but also to be able to complete our acceptance procedure so as to enter into a contract with prospective customers.
The purpose of processing personal data depends on the requirements for each product or service and the contract terms and conditions provide more details of the relevant purposes.
- For compliance with a legal obligation
There are a number of legal obligations emanating from multiple laws and regulations to which we are subject as well as statutory requirements, e.g. UK banking law, the Money Laundering Law, Tax laws, Law on Deposit Guarantee Protection and Resolution of Credit and Other Institutions Scheme, Payments Law and Payment Scheme Rules. There are also various supervisory authorities whose laws and regulations we are subject to e.g. Financial Conduct Authority (FCA) the Prudential Regulation Authority (PRA), Bank of England, Financial Ombudsman Service (FOS), the Financial Services Compensation Scheme (FSCS), the European Central Bank where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group . Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.
- For the purposes of safeguarding legitimate interests
We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
- Initiating legal claims and preparing our defence in litigation procedures
- Means and processes we undertake to provide for the Bank's IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures
- Setting up CCTV systems, e.g. at ATMs, for the prevention of crime or fraud
- To adhere to best practice, rules and requirements of bodies such as HMRC; the FCA; the PRA; the FOS; the Information Commissioner's Office; the FSCS
- Measures to manage business and for further developing products and services,
- Sharing your personal data to other companies in the Bank of Cyprus Group where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group
- Our own and risk management
- The transfer, assignment (whether outright or as security for obligations) and/or sale to one or more persons (including the Bank of England) of and/or charge and/or encumbrance over, any or all of the Bank's benefits, rights, title or interest under any agreement between the customer and the Bank.
- You have provided your consent
Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.
Examples of when we process data with your consent are:
- When you request us to share your data with someone else
- When you indicate you wish to receive direct marketing from us
- For some special categories of Personal data such as data regarding your health or if you have special circumstances which may require us to tailor how we communicate with you; in such circumstances we will explain to you when we ask for your consent what purpose and how we will use your data.
- Processing for a substantial public interest
We may process data for a substantial public interest under laws which apply to us where this helps us to meet our broader social obligations such as processing information about your health or if you have a special need which may require us to tailor how we communicate with you or where we need to fulfil our legal or regulatory obligations.
Who receives your personal data?
In the course of the performance of our contractual and statutory obligations, your personal data may be provided to various departments within the Cynergy Bank Group; and the Bank of Cyprus Group where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group. Various service providers and suppliers may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with the Bank by which they observe confidentiality and data protection according to the data protection law and GDPR.
We may disclose data about you for any of the reasons set out above, or if we are legally required to do so, or if we are authorised under our contractual, regulatory or statutory obligations or if you have given your consent. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions. Under the circumstances referred to above, recipients of personal data may be, for example:
- Supervisory and other regulatory and public authorities where a statutory obligation exists. Some examples are the FCA, PRA, the European Central Bank where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group, the income tax authorities, criminal prosecution authorities,
- Credit and financial institutions such as correspondent banks and the British Business Bank plc
- Share and stock investment and management companies
- Valuators and surveyors
- Non-performing loan management companies
- External legal firms
- Financial and business advisors
- Auditors and accountants
- Marketing companies (where you have provided consent) and market research companies
- Companies which help us to provide you with debit, cards such as Visa and process those payments
- Fraud prevention agencies
- File storage companies, archiving and/or records management companies, cloud storage companies
- Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments
- Purchasing and procurement and website and advertising agencies
- Potential or actual purchasers and/or transferees and/or assignees and/or charges (including the Bank of England FLS) of any of the Bank's benefits, rights, title or interest under any agreement between the customer and the Bank, and their professional advisors, service providers, suppliers and financiers
- For our anti-money laundering process, such as credit reference agencies
- Debt Collection Agencies
Transfer of your personal data to a third country or to an international organisation
Whilst we are based in the UK sometimes it's necessary to transfer information outside the UK. Data transferred within the European Economic Area (EEA) is protected by European data protection standards. Some countries outside the EEA do not have adequate protection for personal data under laws that apply. We will therefore make sure that adequate protection is in place before data is transferred in such circumstances.
To what extent there is automated decision-making and whether profiling takes place
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, in the following cases:
- Data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for you or your business. These measures may also serve to protect you.
- Credit scoring is used as part of the assessment of your creditworthiness. This calculates whether you or your business will meet your payment obligations pursuant to a contract. This helps us make responsible lending decisions that are fair and informed.
In all of the above cases an individual review will be completed before a final decision is made.
How we treat your personal data for marketing activities and whether profiling is used for such activities
We may process your personal data to tell you about products, services and offers that may be of interest to you or your business.
The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We study all such information to form a view on what we think you may need or what may interest you.
We can only use your personal data to promote our products and services to you if we have your explicit consent to do so.
You have the right to object at any time to the processing of your personal data for marketing purposes by contacting either in person or in writing or by calling 0345 850 5555 (+44 (0)20 3375 6422 from outside the UK). Calls may be recorded for monitoring and training.
How long we keep your personal data for
We will keep your personal data for as long as we have a business relationship with you as an individual or in respect of our dealings with a legal entity you are authorised to represent or are a beneficial owner.
Once our business relationship with you has ended, we may keep your data for up to ten (10) years. This period is based on a mixture of our legal and regulatory obligations and limitation periods. The reasons for keeping your data are:
- To respond to queries or complaints or regulatory requests;
- To maintain records according to any rules that apply to us; and
- For research and statistical purposes to ensure we continue to make informed lending decisions and understand the performance of our savings products.
We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons.
For prospective customer personal data (such as where you give us data but don't subsequently proceed with the application), or authorised representatives/agents or beneficial owners of a legal entity prospective customer, we shall keep your personal data for 12 months from the date of notification of the rejection of your application for banking services and/or facilities or from the date of withdrawal of such application.
Your data protection rights
You have the following rights in terms of your personal data we hold about you:
- The right to receive access to your personal data.This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to receive such a copy you can download a Data Subject Access Requests form from our website (see the Data Subject Access Requests).
- The right to request correction (rectification)of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- The right to request erasure of your personal data.This enables you to ask us to erase your personal data (known as the ‘right to be forgotten') where there is no good reason for us continuing to process it. Please note however that this right does not take precedence over our obligations as a regulated business to retain your data in certain circumstances.
- The right to object to processing of your personal datawhere we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
You also have the right to object where we are processing your personal data, for direct marketing purposes. If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.
- The right to request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
- It is not accurate,
- It has been used unlawfully but you do not wish for us to delete it,
- It is not relevant any more, but you want us to keep it for use in possible legal claims,
- You have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.
- The right to request to receive a copyof the personal data you have provided to us concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name (known as the right to data portability).
- The right to withdraw the consent that you gave uswith regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact your Relationship Manager, visit our North London branch or send a secure message if you are registered for Online Banking.
You can also contact our Data Protection Officer at firstname.lastname@example.org.
We endeavour to address all of your requests promptly.
Right to lodge a complaint
If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by contacting us. You also have the right to complain to the Information Commissioner's Office. Find out on their website how to submit a complaint at https://ico.org.uk/.
How to get a copy of your personal data (Data Subject Access Request)
You can obtain a copy of your personal data held by us, by downloading a Data Access Request Form from our website and returning the completed form to us or by writing to us at Cynergy Bank, PO Box 17484, 87 Chase Side, London, N14 5WH.
We'll need address verification and identification documents for each individual making a Data Subject Access Request.
Original or certified address verification and certified identification documents which are acceptable include:
- A certified copy of each individual's passport,
- A certified copy of a utility bill or bank statement (dated within 6 months) confirming each individual's residential address. Please note we do not accept mobile phone bills.
Documents can be certified by an EU bank, an EU solicitor, an EU accountant, or a UK Post Office. These copies must be stamped to indicate they are 'true copies of the original'. The certification must also include:
- The name and address of the certifying firm/organisation (official business stamp required),
- The full name and signature of the certifying officer,
- The date of certification.
We'll deal with your request as quickly as possible, but in no more than 30 calendar days from receipt of all required identification.
Frequently asked questions
To help you understand the basic principles of data privacy law and address some of the common questions that arise with regard to the protection of your personal data, please refer to the Frequently Asked Questions.
Browsers are software used to access any webpage, like Internet Explorer, Firefox or Google Chrome, to help navigate through websites. Cookies are small amounts of text that websites send to your browser to help it navigate through the pages.
Cookies contain information that is transferred to your computer's hard drive/mobile devices. These cookies are used to store information, such as the time that the current visit occurred, whether you have been to the site before and what site referred you to the web page.
Our website uses performance cookies to monitor how the website is used. All information is stored in an anonymous form and no personal data is captured by this site automatically.
We use performance cookies on our website and Live Chat to:
- Store the location of the IP address so that customers accessing the site from outside the UK are routed to the international customer's section of the website;
- Help us improve the website by understanding what pages are popular;
- Identify and correct errors;
- Provide statistics on how our website is used so we can improve the site; and
- Monitor the effectiveness of our adverts.
IP address, operating system and browser type. This is statistical data, used to analyse user's browsing patterns to help us understand how customers use the site, and does not identify any individual.
Information on how to disable cookies is available http://www.allaboutcookies.org/manage-cookies/
Your IP address is the individual identification number that is assigned to your computer when connected to the Internet. This is automatically logged by our web-server and Online Banking application. We use the IP address to route users to the international customer's pages if the IP address is located outside the UK. Unless we suspect fraud, your IP address will not be used to identify you personally.
Google Analytics is a web analytics tool that helps us understand how visitors engage with our website. Google Analytics enables us to view a variety of reports about how visitors interact with our website so we can improve it. Google Analytics uses first-party cookies to collect information about how visitors use our site. We then use the information to compile reports and to help us improve our site.
Google Analytics collects information anonymously. It reports website trends without identifying individual visitors. You can opt out of Google Analytics without affecting how you visit our site – for more information on opting out of being tracked by Google Analytics across all websites you use, visit this Google page. Our 'Performance' cookies will not be used to:
- Gather information that can be used to advertise products or services to you on other websites;
- Target adverts to you on any other website.
Using our site indicates that you accept the use of our cookies. If you disable them we cannot guarantee how our site will perform.
Most popular browsers give users control over the cookies stored on their machines. You can manually set your browser to accept or reject all or certain cookies or to prompt you every time a cookie is offered. Please note that a cookie will be used to remember your preferences, therefore:
- If you delete all your cookies you will have to update your preferences with us again.
- you use a different device, computer profile or browser you will have to tell us your preferences again.
Please note that parts of our website may direct you to a third party's website over which we have no control. For more information about cookies please visit the website set up by the Interactive Advertising Bureau (Europe) at http://www.allaboutcookies.org/.