1. Who we are
We are Cornercard UK Ltd. ("Cornèrcard") (Co.# 08542957; ICO Register# ZA052359)
2. What is this notice?
This notice sets out how we process the personal data of individuals who are customers or potential customers of our card services (i.e. prepaid card, charge card and credit card).
- Our prepaid card is a payment card, which allows you to use electronic money ("e-money") to make purchases of goods and services, and to withdraw cash.
- Our credit card is a payment card, which allows you to purchase goods and services, and make cash withdrawals using funds lent by us.
- Our charge card is a payment card, which allows you to purchase goods and services, and make cash withdrawals using funds lent by us - the funds are repaid in full monthly.
3. Contact us
Please direct all questions and requests you have about privacy and data protection to our privacy department below.
Cornèrcard can be contacted by: (i) post - Privacy Department, Cornercard UK Ltd., One Canada Square, Canary Wharf, London E14 5AA, UK; and (ii) email - email@example.com.
We can also be contacted via our web address, www.cornercard.co.uk, using the dedicated customer contact form.
Data Protection Officer
If you are unhappy with the responses of our privacy department you may contact our Data Protection Officer by: (i) post - Data Protection Officer, Cornercard UK Ltd., One Canada Square, Canary Wharf, London E14 5AA, UK; and (ii) email - firstname.lastname@example.org
4. Why we process your personal data
We are an authorised electronic money institution ("EMI") (Financial register# 900186) regulated by the Financial Conduct Authority, and our application to become a lending firm, with the regulated permission to lend consumer credit, is currently pending approval with the Financial Conduct Authority.
The types of processing we do are:
- Processing to verify your identity, including eligibility to receive financial and payment services.
- Personalisation and delivery of physical or virtual cards.
- Processing to enable the issuing, transfer and redemption of electronic money ("e-money"), i.e. the loading, use and the cashing out of e-money on your prepaid cards.
- Processing to enable the granting of and maintenance of a credit facility including the determination of creditworthiness, affordability and the appropriate credit limit.
- Establishment of benefits packages linked to your payment card, where applicable, including but not limited to Concierge Service, Travel Insurance and Airport Lounge Access.
- Processing to facilitate a payment transaction, i.e. using your credit card or the e-money on your prepaid card to buy goods or services, or to withdraw cash.
- Processing to facilitate access to and the services offered on our cardholder account management website.
- Transfer of personal data from and to the UK, including transfers to and from the European Economic Area ("EEA") and Switzerland. Transfer of personal data outside the UK will be to Cornèr Group entities in the EEA and Switzerland acting as outsourcing or sub-contracting providers in order to assist Cornèrcard to provide its services to you.
- Transfer of personal data to and from third parties who perform the processing and provision of benefits listed above on our behalf.
- Processing to comply with regulatory and legal obligations to prevent financial crime, terrorist financing, and money laundering
Our services are:
- The issuing of electronic money.
- The provision of a prepaid card
- The provision of a credit card.
- The provision of a charge card.
- Payment services.
- The provision of our website and app for both customers and visitors.
In order to provide our services to you under a contract between us (or for us to take steps at your request with a view to entering into a contract) we must process your personal data, which is a lawful basis under which to process your personal data.
We will collect personal data from you and third parties, and also create personal data.
Direct marketing and consent
We may process your personal data for the purposes of marketing our services to you. In order to process your personal data for marketing purposes we will obtain your consent to do so in advance, which is a lawful basis under which to process your personal data.If you have consented to our marketing, you have the right to withdraw your consent via our website using the dedicated contact form.
We will not process your personal data for the purposes of marketing the services of third parties.
Categories of personal data
The categories of personal data about you we will process are:
- Full name and personal details including contact information (e.g. home address and address history, email address, home and mobile telephone numbers);
- Date of birth (e.g. to make sure that you are eligible to apply for a product or service and so that we can verify your identity);
- Financial details (e.g. salary, expenditure and details of other income, and bank account details if you apply for a product or service with us or set up a Direct Debit mandate);
- Records of products and services you've obtained or applied for, how you use them and the relevant technology used to access or manage them (e.g. mobile phone location data, IP address, MAC address);
- Information from credit reference or fraud prevention agencies, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources as well as information on any financial associates you may have if you apply for a product or service with us;
- Family, lifestyle or social circumstances if relevant to the product or service you apply for (e.g. the number of dependants you have, information about any vulnerabilities we identify);
- Special Category Data used in the assessment of vulnerability as required by law (e.g. you may disclose to us that you suffer from a hearing or sight impairment, a mental health condition, a learning disability or alcohol or drug dependency);
- Employment details/employment status for credit and fraud prevention purposes if you apply for a product or service with us;
- Personal data about other named individuals as required. Where you provide the personal data of others you must have their authority to provide their personal data to us and share this Privacy Statement and any related data protection statement with them beforehand, together with details of what you've agreed on their behalf; and
- Loyalty programme details including your registration/membership number, number of points earned and transaction and card usage data.
Please note we may require your sensitive personal data (set out above) as part of our regulatory duty to identify and offer appropriate assistance/protection to vulnerable customers.
The personal data collected from you and other sources is contractually necessary in order for us to provide our card services to you, and also to permit us to meet the associated legal/regulatory obligations that arise from the provision of the card services. If you do not provide the personal data that we have requested, we will be unable to offer our card services to you, and this will result in the termination of our contractual relationship.
Lawful basis for processing Personal Data and Special Category Data
Under the Data Protection Act 2018 ("DPA") and UK GDPR (as defined in section 3(10) DPA), we are only permitted to process your personal data if we do so lawfully.
For the provision of our cards (i.e. prepaid cards, charge cards and credit cards):
- we process your Personal Data in order to carry out the performance of our contract (in order to offer our card services to you);
- we process your Personal Data in order for us to comply with our legal/regulatory obligations arising from the law and our status as an authorised person and EMI;
- we process your Special Category Data in order to meet our legal and regulatory obligations under the legal conditions known as Substantial Public Interest;
- we process your Personal Data with your consent, for marketing purposes and for any other purposes declared in this notice which do not qualify under the other processing conditions above; and
- we process your Special Category Data with your consent, for any other purposes declared in this notice which do not qualify under the other processing conditions.
Where we have requested your consent for processing you have the right to withhold that consent, and, where such consent has been already granted, consent can be withdrawn by contacting us. As previously stated, and with the exception of consent to marketing, if you do not consent or withdraw your consent, we will be unable to offer our card services to you, and this will result in the termination of our contractual relationship.
5. Sharing your data
Subject to applicable data protection law, the consents you have provided to us, and the products you hold, we may share your personal data as follows, exclusively for the purposes of providing our services to you.
- Cornèr Banca S.A., Via Canova 16, 6901 Lugano, Switzerland ("Cornèr Banca"), a Cornèr Group company. Cornèr Banca will process your personal data on our behalf as our processor enabling us to process for the reasons sets out in Clause 4. Your personal data will be transferred outside the EEA because Cornèr Banca is in Switzerland. The Information Commissioner's Office ("ICO") has determined that Switzerland has a data protection regime offering an adequate level of data protection pursuant to the decision of the European Commission, a copy of this decision can be found here eur-lex.europa.eu/eli/dec/2000/518/2016-12-17.
- Companies or sub-contractors who help us provide our products and services, such as card personalisation bureau, concierge services, lounge access and insurance claims administration;
- Loyalty Programmes affiliated with your card and providing loyalty services;
- Financial Institutions that have introduced you to us, and that maintain the day-to-day management of your account and its settlement;
- Our legal and other professional advisors, including our auditors;
- Fraud Prevention Agencies
- Fair Processing Notice: The personal information we have collected from you will be shared with fraud prevention agencies ("FPAs") who will use it to prevent fraud and money-laundering, and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn.
- Credit Reference Agencies
- In order to process your application, determine your creditworthiness and the affordability of the credit provided to you, we will perform credit and identity checks on you with one or more Credit Reference Agencies ("CRAs"). To do this, we will supply your personal information to CRAs. This will include your name, date of birth and residential address. It may also include additional information such as your salary, previous residential addresses and other information you provide as part of your credit application.
- We may also carry out further periodic searches at CRAs to allow us to manage your account with us. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
- We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full or on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
- When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
- If you are making a joint application, or tell us that you have a spouse of a financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as your partner successfully files for a disassociation with the CRAs to break the link.
- The identities of the CRAs, their role also as FPAs, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at www.equifax.co.uk/crain.
- Debt Collection Agencies
- The Financial Services Ombudsman;
- Payment schemes (e.g. Visa or Mastercard) and their associated networks; and
- Anyone else where we have your consent or as required by law.
6. Storage of your data
We will not store your personal data any longer than we need to. We will store your personal data for the duration of your contractual relationship with us and for a further period of six years beginning when that relationship ends. We will, retain the personal information so that:
- We can allow you to redeem any e-money that you have not spent on your prepaid card (for prepaid cards only).
- We can provide you with the necessary information if you wish to make a query or bring a legal claim against us regarding our services.
- We adhere to legal and regulatory requirements regarding the storage of personal data.
7. Your data rights
You have the following data rights:
- The right of access
- The right to rectification (correction)
- The right to erasure (i.e. the right to be forgotten)
- The right to restriction of processing
- The right to data portability
- The right to object
In order to process your request to exercise your data rights you may be required to provide us with such information or documents we request in order to verify your identify before we can process your access request. Your request will be deemed to be received on the date we verify your identity.
We will respond to requests within one month of receipt of your request. If your requests are complex or numerous, we will inform you within the initial one-month response period that we will require a further two months in which to respond, i.e. we will respond within three months of receipt of your request.
You may request to exercise your data rights by email, using the dedicated contact form on our website, or by post. Where you make a request electronically we will respond electronically by email.
Right of access
You may request the following information:
- confirmation that your personal data is being processed;
- a copy of the personal data held about you excluding any personal data that we are prohibited from providing such as data that would adversely affect the rights or freedoms of others; and
- a copy of this privacy notice.
This information will be provided free of charge except where:
- the request is manifestly unfounded or excessive, particularly if it is repetitive;
- the request is for further copies of the same information.
In these cases we will charge a fee of £10 which will cover our administrative cost for providing you with the information.
Please note that if we find your access request to be manifestly unfounded or excessive, we may refuse to provide the requested information. In this case we will inform you why we are not providing you with the information set out above, that you have the right to complain to our supervisory authority for data protection purposes, the ICO, and that you have a right to file a case with the courts.
Right to rectification (correction)
You have the right to have any personal data corrected if it is inaccurate or incomplete. We will require you to provide documents or information to demonstrate that the personal data is inaccurate or incomplete.
If we have disclosed such personal data to third parties, we will contact each third party and inform them of the correction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
If we refuse to comply with your request, we will inform you why we are not making the corrections, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
Right to erasure
The right to erasure only applies when:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- you withdraw consent for the processing of personal data where consent is the sole legal basis of the processing;
- you object to the processing and there is no overriding legitimate interest for continuing the processing;
- the personal data is being unlawfully processed;
- the personal data has to be erased in order to comply with a legal obligation.
We may refuse to erase the personal data if the following conditions apply:
- the personal data is processed to comply with a legal obligation for the performance of a public interest task or exercise of official authority; or
- the personal data is processed for the exercise or defence of legal claims.
If we have disclosed personal data that is to be erased to third parties, we will contact each third party and inform them of the erasure unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
Right to restriction of processing
We will restrict the processing of personal data in the following circumstances:
- Where you contest the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data.
- Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override your interest, rights and freedoms.
- When processing is unlawful and you oppose erasure and request restriction instead.
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.
If we have disclosed personal data that is to be subject to restriction to third parties, we will contact each third party and inform them of the restriction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
We will inform you if we decide to lift the restriction on processing.
Right to data portability
The right to data portability only applies:
- to personal data that you have provided to us;
- where the processing is based on your consent or for the performance of a contract; and
- when the processing is carried out by automated means.
We will provide you with this personal data in form of a .CSV file or another file format that is agreed upon in advance and presents the personal data in a structured, commonly used and machine readable form.
We will provide this information free of charge. If you so request, we transmit the information directly to another data controller if this is technically feasible.
If we refuse to comply with your request, we will inform you why we are not providing the information, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
Right to object
You have the right to object to our processing of your personal data based on our legitimate interests on grounds relating to your particular situation except:
- where we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes.
We will comply with your objections unless an exception applies.
8. Complaining to the ICO
You have the right to contact the ICO to complain about our processing of personal data.
The ICO can be contacted by: (i) live chat (Monday to Friday, 9am to 5pm) - ico.org.uk/global/contact-us/live-chat; (ii) email - email@example.com; (iii) web form - ico.org.uk/global/contact-us/email/; (iv) phone - 0303 123 1113 (calls from within the UK) or +44 1625 545 700 (calls from outside the UK) and (v) post - Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.
9. Sources of personal data
Subject to applicable data protection law, the consents you have provided to us, and the products you hold, we may collect personal data from the following sources:
- CRAs and FPAs - Equifax and CIFAS;
- Third party databases for identification/know your customer ("KYC") purposes;
- Your Loyalty Scheme provider;
- Your Financial Institution.
10. Automated processing
If you apply to us for a product or service, we may use an automated decision-making process which will carry out anti-fraud, counter terrorist financing, anti-money laundering, credit and affordability assessment checks to decide whether we will accept your application. The automated processes may decline or refer your application. If your application is referred, this means we will manually review your application before making a final decision. This decision will be based on the information collected from the sources listed in Clause 9.
You may challenge our decision by contacting us and asking us to reconsider your application using a manual process involving an individual to make the decision.
11. Consequences of processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Cornèrcard is part of Cornèr Group