This notice describes how Pennysmart CIC uses and protects the personal information that it holds about clients in accordance with General Data Protection Regulation (GDPR).
We encourage you to read this notice carefully so that you are aware of how and why we are using this information.

GDPR Principles.

In collecting and processing your personal information, we will comply with the data protection law in force at the time. This requires that the personal information that we hold about you must be:
1. Processed lawfully, fairly and in a transparent way.
2. Collected for specified, explicit and legitimate purposes and not further processed in a matter that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes for which the personal data is processed.
6. Kept securely, protecting against unauthorised or unlawful processing, accidental loss, damage or destruction.

What types of personal data do we hold about you?

We will collect, store and use a variety of categories of personal information about you such as:
  • Personal details – Name, postal address, phone, email, date of birth.
  • Financial Information – Such as your household income, outgoings, any debts including account numbers, credit files and bank statements.
  • Sensitive and special categories – Ethnicity, nationality, disability, sickness/health records etc.

How is your personal information collected?

We collect personal information through various sources and formats (digital and hard copy) including:
• Referral forms we receive from your referring officer.
• Telephone appointments, text messages and emails.
• Verification paperwork you provide to us.
• Credit Report Checks accessing data from Experian, Equifax and TransUnion.
• Access to your Bank Transaction data including the use of open banking.
• Correspondence from your creditors.

Credit Report Information.

We request this information to help us access your financial situation enabling us to provide you with relevant debt solutions. We will use the information held by credit reference agencies such as Experian, Equifax & TransUnion, this will include electoral roll and financial data they hold about you and any other financial associations. By confirming your agreement to proceed you are agreeing that this data about you can be released by the credit reference agencies. A record of this check will be shown on your credit reports, but will not affect your credit rating in any way.

What do we do with your personal information?

We will use your data for a number of processes, all of which are to enable Pennysmart CIC to provide you with free, impartial and quality advice.

What is the purpose and legal basis of the processing?

Data protection laws require Pennysmart CIC to meet certain conditions before we are allowed to use your personal data. This privacy notice identifies that the data we use is for Legitimate Interest and for fulfilling the obligation of a contract with the individual.We may also use or disclose the information provided for the following statutory or public interest purposes:
• To prevent or detect fraud.
• To support internal and external audits.
• To provide statutory returns required by applicable legislation.

Who might we share it with?

We may have to share your data with third parties and require third parties to respect the security of your data and to treat it in accordance with the law. If necessary and relevant, data may be shared with:
• Creditors.
• Your Landlord & Council.
• The Insolvency Service.
• Your Referring Officer.
• Pension Providers.
• Credit Reference Agencies and any bodies used who provide this service to Pennysmart Money Advice.
• Any official authorising advice body such as the FCA & AQS.
• Benefits agencies such as DWP or HMRC.

Where we store your personal data and how we keep it safe.

The data that we collect from you will be stored inside the UK or the European Economic Area (EEA). All physical data is stored inside locked cabinets within the office and all computers and case management systems are password protected as per the Pennysmart Data Protection Policy. We limit access to your personal information to those employees or third parties who have a business need to know. We have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention.

We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it.In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your rights in relation to your personal information.

You have a number of rights under the Data Protection laws in relation to the way we process your personal data, namely:
1. To access your data.
2. To have your data rectified if it is inaccurate or incomplete.
3. In certain circumstances to have your data deleted or removed.
4. In certain circumstances to restrict the processing of your data.
5. A right of data portability, to obtain and reuse your data for your own purpose across different services.
6. A right to object to direct marketing.
7. Not to be subject to automated decision making (including profiling).
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your data, or request that we transfer a copy of your personal information to another party, please contact the advice team – You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we reserve the right to charge a reasonable fee if your request for access is excessive.

Changes to this Privacy Notice.

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.