Last updated 19th April 2022
The protection of your personal data is important to us at BNP Paribas Group. We’ve improved our Data Protection Notice to be more transparent about how we:
Introduction
We take the protection of your personal data very seriously; the BNP Paribas Group which includes Creation Financial Services Limited and Creation Consumer Finance Limited have adopted strong principles to its Personal Data Protection Charter. To access the BNP Paribas Personal Data Privacy Charter please click here.
In this notice you’ll find information on how your personal data is protected by Creation Financial Services Limited, Chadwick House, Blenheim Court, Solihull, West Midlands, B91 2AA and Creation Consumer Finance Limited, 4th – 6th floor Wellington Buildings, 2-4 Wellington Street, Belfast, BT1 6HT (‘we’ or ‘us’ or ‘our’ or ‘Creation’).
We are responsible, as a controller, for collecting and processing your personal data in relation to our activities.
Our aim is to help all of our customers – individuals, entrepreneurs, small and medium-sized enterprises, large companies and institutional investors – in their day-to-day banking activities and in achieving their projects thanks to our financing, investment, savings and insurance solutions.
As a member of an integrated banking-insurance Group in collaboration with various businesses within the Group, we provide a complete range of banking, insurance and leasing products and services.
The purpose of this Data Protection Notice is to explain how we process your personal data and how you can control and manage it. Further information may be provided where necessary at the time of collection of your personal data.
This Data Protection Notice applies to you if you are ("You"):
When you provide us with personal data related to other people, please make sure you inform them about their personal data that you have shared and invite them to read this Data Protection Notice. We’ll ensure we will do the same whenever possible (e.g. when we have the person's contact details).
You have rights which allow you to exercise real control over your personal data and how we process it.
If you wish to exercise the rights listed below, or you have questions relating to how we use your personal data under this Notice, you can request this by:
You can request access to your personal data
If you’d like access to your personal data, we’ll provide you with a copy of the personal data you requested as well as information relating to their processing. Contact us:
Note: You can directly access some data from your customer account through the My Account online service
Please include your telephone number and if applicable your Account/Agreement number (on your statement) on any correspondence and we’ll contact you by phone to verify your identify and go through the details of your request. For further information on accessing your personal data, please go to www.creation.co.uk/data-subject-rights-request.
Your right of access may be limited in some cases by laws and regulations. This is the case with regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose.
You can ask for the correction of your personal data
Where you consider that your personal data is inaccurate or incomplete, you can request that personal data be modified or completed accordingly. In some cases, we may need supporting documentation.
2.1 You can request the deletion of your personal data
If you wish, you can request the deletion of your personal data, to the extent permitted by law.
2.2 You can object to the processing of your personal data based on legitimate interests
If you don’t agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We’ll stop processing your personal data unless there are compelling legitimate grounds for doing so, or it is necessary for the establishment, exercise or defence of legal claims.
2.3 You can object to the processing of your personal data for commercial prospecting purposes
You have the right to object at any time to the processing of your personal data for the purpose of commercial prospecting, including profiling, insofar as it is linked to that prospecting.
2.4 You can suspend the use of your personal data
If you question the accuracy of the personal data we use or object to the processing of your personal data, we’ll verify or review your request. You may request that we suspend the use of your personal data while we review that request.
2.5 You have rights against an automated decision
As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.
In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.
2.6 You can withdraw your consent
If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.
2.7 You can request the portability of part of your personal data
You can request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.
2.8 How to file a complaint with us or the relevant supervisory authority
Our customers really matter to us and we’re committed to providing you with a great customer experience. If issues do arise, our aim is to resolve them as quickly as possible and make sure you are satisfied with the outcome. To make a complaint please contact: Customer Enquiries by calling 0371 402 8910
If for some reason we’ve not been able to resolve your complaint within eight weeks of receipt, or if you are not satisfied with our final response, UK customers can contact the Information Commissioner UK:
Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 01625 545745
Fax: 01625 524510
If for some reason we’ve not been able to resolve your complaint within eight weeks of receipt, or if you are not satisfied with our final response, ROI customers can contact our representative at:
For the Attention of:
Chief Risk Officer, GREENVAL INSURANCE DAC, 10 -11 Trinity Point, Leinster Street South, Dublin 2, D02 EF85 or email privacy@greenval-insurance.ie
or, alternatively you can contact the Data Protection Commission: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland or by webform: https://forms.dataprotection.ie/contact
In this section we explain why we process your personal data and the legal basis for doing so.
3.1 Your personal data is processed to comply with our various legal and regulatory obligations
Your personal data is processed where necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.
3.1.1. We use your personal data to:
3.1.2 We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes
As part of a banking Group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions.
In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "We" in this section also includes BNP Paribas SA).
The processing activities performed to meet these legal obligations are:
The processing activities performed to meet these legal obligations are detailed in the Appendix.
3.2 Your personal data is processed to perform a contract to which you are a party or pre-contractual measures taken at your request
Your personal data is processed when it is necessary to enter into or perform a contract to:
3.3 Your personal data is processed to fulfil our legitimate interest or that of a third party
Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you’d like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 2 above.
3.3.1 In the course of our business as a finance company we use your personal data to:
3.3.2 We use your personal data to send you commercial offers by electronic means, post and phone
We may use your personal information to tell you about relevant products and offers (Marketing). We’ll only use your personal information for marketing if we have either your consent (see section 3.4 below) or a ‘legitimate interest’. Legitimate interest is where we’ve identified from a balancing test that there is a benefit in the information we provide to you as a customer. The balancing test undertaken for our marketing data processes is to ensure our marketing activities have fair and appropriate balance and that the processing does not override your interests and your rights.
As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.
Once you are a customer and unless you object, we may send you these offers electronically for our products and services and those of the Group if they are similar to those you have already subscribed to.
We’ll make sure these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.
We may also send you, by phone and post, unless you object, offers on our products and services as well as those of the Group and our trusted partners.
3.3.3 We analyse your personal data to perform standard profiling to personalise our products and offers
To enhance your experience and satisfaction, we need to determine to which customer group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information:
- what you have directly communicated to us during our interactions with you, or when you subscribe to a product or service
- resulting from your use of our products or services such as those related to your accounts including the balance of the accounts, regular or atypical movements, the use of your card abroad as well as the automatic categorisation of your transaction data (e.g., the distribution of your expenses and your receipts by category as is visible in your customer area)
- from your use of our various channels: websites and applications (e.g., if you are digitally savvy, if you prefer a customer journey to subscribe to a product, or service with more autonomy (selfcare)
3.4 Your personal data is processed if you have given your consent
For some types of processing of your personal data, we’ll give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.
In particular, we ask for your consent for:
We may ask you to confirm or update your marketing preferences if you take out any new products or services with us in future.
You may be asked for further consent to process your personal data where necessary.
We collect and use your personal data: personal data being any information that can be used to identify you.
We collect various types of personal data about you, depending on the types of products and services we provide to you or from our interactions with you, including:
We collect personal data directly from you through our financial relationship with you, for example through the application process for our products and services. Note: this may include data provided by a Retailer/Partner with whom we provide products and services for example where we are providing a card and/or loan to you in association with a retailer/partner
We may also collect personal data from other sources.
We sometimes collect data from public sources:
We also collect personal data from third parties:
In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship with such as prospective customers.
a) With BNP Paribas Group's businesses
As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:
Our financing and refinancing also constitute a legitimate interest implying your personal data may be shared with entities of the BNP Paribas Group which are providing our refinancing.
b) With recipients outside the BNP Paribas Group and processors
In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with:
Sharing your data with Fraud Prevention and Credit Reference Agencies
Before we provide services, goods or financing to you and during the course of your relationship with us, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Examples of the personal information that will be processed are:
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
As part of the processing of your personal data, we use various profiling techniques to assist us with running our business. By “profiling” we mean the automated analysis of personal data about an individual to evaluate certain things about that individual – basically drawing conclusions about an individual based on a statistical model. We may use these techniques in the course of evaluating applications for cards and/or loans for affordability and suitability, undertaking credit limit increase eligibility checks, to manage your account, and for marketing and targeted advertising purposes. We may also automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to profiling / automated decision making: if you want to know more please see the following section on ‘How to update your information’.
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us by email at customerenquiries@creation.co.uk or write to us at Creation, Chadwick House, Blenheim Court, Solihull, B91 2AA.
In order to process your application we supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial situation and financial history. We do this to assess affordability, creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent fraud and criminal activity. We may also search the files of the Land Registry.
We will continue to exchange information about you with CRAs while you have a relationship with us, including about your settled accounts and any debts not fully repaid on time. Where you have a running account credit with us we may also make further periodic checks with CRAs to manage your account. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The CRAs will have to place a search footprint on your credit file when we make a search and this may be seen by other lenders.
Where an application for credit has been unsuccessful, we may retain the personal information that we need in order to aid our individual statistical models and credit scoring models. This may include further processing of your data with the CRAs solely for this purpose. We rely on the legal basis that it is our legitimate interest to do this. This potential processing should not affect your ability to obtain credit in future nor should it leave any further footprint with the CRAs. Should you wish to object to this particular processing of your data please forward your objection to www.creation.co.uk/data-subject-rights-request
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail within the links detailed below:
Trans Union (formally Call Credit): www.transunion.co.uk/crain
Equifax: www.equifax.co.uk/crain
Experian: www.experian.co.uk/crain
In the circumstance where you are based in the Republic of Ireland (ROI) and you have applied for credit through your application process, your data will be shared with the Central Credit Register. Further information on the CCR is available by accessing the link below:
Central Credit Register: https://www.centralcreditregister.ie/borrower-area/data-protection-statement/
Note: Until 26 September 2021 data on ROI applications was shared with the Irish Credit Bureau (ICB) which ceased to exist on 1 October 2021 and has deleted all its records shortly thereafter that date.
Countries within the European Economic Area (EEA) including the ROI, have similar standards of legal protection for your personal information. We may run your accounts and provide services from centres outside of the UK (such as France) or through Group entities and partners outside the EEA (such as USA or India). For countries outside of the UK and/or EEA who have adequate levels of data protection, your personal data will be transferred on this basis.
For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the UK or the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
Whenever fraud prevention agencies transfer your personal data outside of the UK, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
We will only keep your information for as long as we need to and where we have a legitimate reason to do so for example account maintenance or responding to customer queries. On account closure or after an unsuccessful credit application your data may be held for up to six years. There may be instances where we are asked to retain information for longer due to legal or regulatory reporting requirements.
Your personal data is held in secure databases to protect it from theft or being altered. All access to these databases are controlled and monitored to ensure only authorised personnel have access to your data. When your data is sent to a third party that you have agreed to, the data is also sent in an encrypted format and the third party will use the same levels of encryption and security that we use. Our data processing estate is continually monitored and updated to ensure the level of security meets best industry practice and is in accordance with all the laws, regulations and standards required to protect your personal data.
In a world where technologies are constantly evolving, we regularly review this Data Protection Notice and update it as required.
We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.
Processing of personal data to combat money laundering and the financing of terrorism
We are part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).
In this context, we act as joint controllers together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” used in this appendix therefore also covers BNP Paribas SA).
To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:
In this context, we make use of:
We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.
In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.