Sheffield Mutual Friendly Society (the “Society”) treats the privacy of its members and website users very seriously and we take appropriate measures to safeguard your privacy. This Policy helps to provide information about how we collect, use and store personal data together with details about our obligations under the General Data Protection Regulation (GDPR) which took effect on 25 May 2018, replacing the Data Protection Act 1998. We may update this Policy from time to time.
Our Privacy Promise:
- To safeguard your personal data
- Not to sell your personal data
- To give you real choice and control of how we contact you
How we obtain your personal data
What is personal data?
Personal data is information which is capable of identifying an individual, including, but not limited to, a first and last name, home address, email address, date of birth, National Insurance number, contact telephone number/s, voice recordings, payment details and Direct Debit mandate instructions.
Information provided by you
Much of the personal data we hold will have been provided by you on your paper / online application, web enquiry, when you register or log in or over the telephone. This also includes the contents of any correspondence you may send to us by post or electronically and will be used to manage and administer your policy and registration. We record telephone conversations for training purposes and your protection.
We may obtain "special category" medical information directly from you or your doctor to administer particular policies. The provision of this information is subject to you giving us express consent on your Medical Questionnaire.
Information we get from other sources
We may acquire further information from reputable third party companies who operate in accordance with the GDPR, for example, a credit reference and fraud prevention agency to verify your identity when you apply for a plan. We use Call Credit's online anti-money laundering service, Call ML, to verify the identity of new customers to comply with anti-money laundering legislation.
We may also obtain your personal information from a website landing page that is created to receive traffic from an online ad campaign. We use Unbounce's landing pages. For more information on the types of data Unbounce collect, please visit www.unbounce.com/privacy.
Sheffield Mutual offers a range of products for children but its services and website are designed for use by individuals over the age of 18. If you are aged 16 or under, please obtain your parent/guardians permission before you provide us with any personal information.
Accuracy of information
In order to provide the highest level of customer service possible, we need to keep accurate customer information. Should your circumstances, such as name or address change, you can help us by informing us of these changes when they occur.
How we use your personal data
The Society needs to keep and process personal data about you to administer your membership, update your plan and payments, verify your identity and to administer your website registration to provide you with a more personalised experience.
Sheffield Mutual is the controller of your personal data for the purposes of the GDPR and the legal basis for holding your details is for the performance of a savings / investment / protection plan and to administer your membership of the Society. If you do not provide this information we may, in some circumstances, be unable to offer our products and services to you.
Information that you provide, or that is obtained by the Society as a result of your use of the website, landing pages or social media account, may be used by us for analysis and to enable us to review, develop and improve the website and the services we offer.
We use up-to-date industry standards to keep your personal data as secure as possible against loss, unauthorised disclosure or access.
- Data Encryption - The website has an enhanced validation SSL certificate to ensure all data that is submitted online is encrypted (put into secret code) during transmission. All data held on the website server is encrypted for additional security.
- Email Security - The Society uses email security software to filter the content of inbound and outbound emails and protect mailboxes from targeted attacks.
- Data Backup - The Society’s main network servers undergo a daily on-line backup to a fully managed service and meets the certification standards of ISO 9001, 27001, BS EN 25999.
- Penetration Testing - The Society carries out annual infrastructure penetration testing.
You may consent to be included in marketing communications and your personal data may subsequently be used for marketing purposes. This consent may be provided on your paper application form, when you apply online, while browsing our website, over the telephone or via the tear off slip in the annual Newsletter.
We may contact you (by post, email, telephone, or text) with other information and about other products and services which we consider may be of interest to you. If you have consented and no longer wish to receive this additional information, you can opt out at any time by phone, email, in writing or online at www.sheffieldmutual.com/subscription-preferences. This will not affect the lawfulness of the processing before your consent was withdrawn.
We will not sell, swap, trade or rent your personal data to any third parties.
We may contact you from time to time with information in connection with your membership of Sheffield Mutual, such as sending you the Notice of Annual General Meeting, annual Newsletter and other service related mailers. Communications of this nature are necessary in order to comply with the Society’s Rules and the performance of a contract and, therefore, we will not ask for your consent.
When the website automatically stores information
In order that we can monitor and improve the website, we may gather certain information about you when you use it, including details about your domain name and IP address (this is your computer’s individual identification number assigned to your computer when connecting to the Internet), operating systems, browser, version and the website that you visited prior to our website. We may do this by way of a cookie as described below.
A cookie is an element of data that a website can send to your browser, which may then store it on your computer’s hard drive. Cookies allow us to understand who has seen which pages and advertisements, to determine how frequently particular pages are visited and to determine the most popular areas of our website.
To obtain further information about cookies (including how to set your browser to reject cookies), you can visit the website www.allaboutcookies.org or view our cookies policy at www.sheffieldmutual.com/cookies.
Google AdWords Remarketing
We (and our digital agency partners) use Google AdWords Remarketing to advertise the Society across the Internet, in particular on the Google Display Network.
AdWords Remarketing will display ads to you based on whether you have visited the Sheffield Mutual website by placing a cookie on your web browser.
This cookie does not in any way identify you or give access to your computer or mobile device. The cookie is used to indicate to other websites that “This person visited our website, so show them our remarketing advert.”
Google AdWords Remarketing allows us to tailor our marketing to better suit your needs and only display ads to those that have visited our website.
If you do not wish to see ads from Sheffield Mutual you can opt out as below:
Analysis of information
The IP addresses and cookies recorded by our server (and those of our partners) may be used:
- To analyse ‘traffic’ information (so we are able to review the interest in the website shown by visitors and their response to our marketing/promotional activity)
- To review the performance of the website on a statistical basis (thereby allowing this to be developed to meet company and customers’ needs)
- To identify unusual activity and transactions (in order to identify possible fraudulent actions).
- To moderate online voting/polls
Submitting information to our website
When accessing this website, you acknowledge and accept that any electronic mail that passes over the internet may not be free from interference by third parties. Whilst we have taken steps to make our website and systems secure and have the highest level of security available, we cannot guarantee the confidentiality or privacy of information over the internet.
You remain responsible at all times for ensuring that viruses do not enter your PC or computer systems and we assume no responsibility in this respect. It is also your responsibility to protect your username and password where you use services on this website requiring you to provide such information and you must not share or disclose your username or password to any other party.
We will keep information about you confidential and will only disclose your information to a third party with your express consent unless one of the circumstances listed below applies. We may disclose information about you to:
- Legal and regulatory bodies, auditors, your financial adviser, credit and fraud prevention agencies and our compliance consultants
- Third party service providers such as our print and mailing agents (GEC Print & Design and PR Fulfilment) and gift card fulfilment partner (Voucher Express) who have signed our Data Sharing Agreement
- Anyone to whom we may transfer our rights and duties under any agreement we have with you such as Worldpay who we use for debit card payments
- Any legal or crime prevention agencies and/or any regulatory request upon receipt of a request if we have a duty to do so or if the law allows us to do so.
Transfer of your data outside of the European Economic Area (EEA)
Your personal data will be transferred outside the EEA if you have agreed to email marketing. We use a third party, MailChimp, for marketing/service emails and have a signed Data Processing Addendum in place. MailChimp also participates in and has certified its compliance to the EU-U.S. Privacy Shield framework, and is committed to treating all personal data received from Sheffield Mutual in accordance with the Privacy Shield framework’s principles. For more information, please visit www.mailchimp.com/legal/privacy.
We do not currently transfer your personal data outside the EEA for any other reason. However, if your information is transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements in the future, we will ensure that the receiver agrees to provide the same or similar protection as we do and that they only use your personal data in accordance with our instructions.
Our online live facility is provided by Click4Assistance who have certified their compliance with the GDPR. Online chat data is encrypted at rest for your protection. We will use the personal information provided on an online chat to respond to a query or information request as applicable.
How long do we keep this information about you?
Your personal data will be stored for a reasonable period after your plan ends so that we can fulfil our legal and statutory obligations. Your personal data will be stored for as long as is necessary when using our website to ensure our service runs smoothly. This period of time will be reviewed on a regular basis to ensure information we no longer require will be confidentially disposed of.
Your personal data may be stored in paper files and/or electronically using Document Management Software (DMS) provided by Easy Software (UK) Plc in accordance with a service agreement and GDPR compliance statement.
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with relevant information.
Subject access requests
Under the GDPR you, the data subject, will have a number of rights with regard to your personal data. You have the right to request access to your personal data and this is known as a ‘subject access request’. We shall respond promptly, and within one month of receiving the request and all the necessary information from you. Our formal response to you shall include details of the personal data we hold about you, including the:
- Source/s from which we acquired the information
- Purposes for processing the information
- Persons or third parties with whom we are sharing the information
Right to rectification
You have the right to have any personal data we hold concerning you rectified if it is inaccurate or incomplete. We will respond within one month of receiving a request for your personal data to be rectified.
Right to erasure
You have the right to request the deletion or removal of your personal data in specific circumstances, subject to legal requirements. We will erase your data without undue delay should we receive a request.
Right to restrict processing
You have the right to restrict/block us from processing your personal data under any of the following circumstances:
- the accuracy of the personal data is contested by you and is restricted until we have verified the accuracy of the data
- Where you have objected to the processing of your personal data and we are considering whether the Society’s legitimate interests overrides the objection of processing
- Where the processing is unlawful and you, the data subject, oppose the erasure of personal data and request the restriction in its use
- We no longer need the personal data for the purposes of processing, but it is required by you to establish, exercise or defend a legal claim
Should we receive a request, we shall inform any recipient of your personal data of the restriction of the processing unless this proves impossible or involves disproportionate effort. We shall also provide you with information about the recipients of your personal data if you request it.
Right to data portability
You have the right to obtain your personal data from us to move, copy or transfer the data to another controller. We shall provide your data in a structured, commonly used and machine readable format in a safe and secure way, without hindrance to usability.
Right to object
You have the right to object to the processing of your personal data on the grounds relating to your particular situation if the processing is based on legitimate interests or the performance of a task in the public interest, direct marketing or processing for purposes of scientific/historical research. We shall stop the processing unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
We do not undertake any processing by automated means, this includes making decisions without any human involvement and evaluating certain things about you, known as ‘profiling’.
This policy was last reviewed on 23 May 2018.
How to contact us
Questions and queries
What to do if you have a complaint?
We will take any concerns you have very seriously, but if you remain dissatisfied you have the right to lodge a complaint to the Information Commissioners’ Office (ICO) if you believe that we have not complied with the requirements of the GDPR with regard to your personal data. You can contact the ICO on 01625 545745 or 0303 123 1113 or write to Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.