This privacy statement provides an overview of the CSA’s commitment to privacy and data protection. It explains important information about our collection and use of your personal data, particularly when using our website.
If we have your personal data as part of a complaint, or because you are involved with one of our training programmes, or because we are contacting you about our work as a trade body, you can find more specific information about our use of your personal data in the applicable privacy notice below:
1. Who are we?
1.1 The CSA group of companies (collectively "the CSA") comprises Credit Services Association Limited and CSA (Services) Ltd.
1.2 Credit Services Association Limited is the only national UK trade association for the debt collection and debt purchase industry. We represent the industry to key stakeholders, including regulatory bodies and government, set out best practice for the industry and provide guidance and support to member companies.
1.3 CSA (Services) Ltd is a wholly-owned subsidiary of Credit Services Association Limited which provides training and development services to both our member and non-member companies in relation to debt collection, debt purchase and associated activities.
1.4 The CSA’s contact details are as follows:
Credit Services Association
2 Esh Plaza
Sir Bobby Robson Way
0191 217 0775
1.5 The CSA does not employ a data protection officer, but you can speak to our Head of Regulatory Compliance & Standards, Claire Aynsley, or our Compliance Manager, Daniel Spenceley, if you have any questions in relation to this notice or concerns about any data protection issues. You will find more details about your data protection rights in Section 9 of this notice.
2. What is personal data?
2.1 Personal data is information about a living person, by which that living person can be identified, either directly (i.e. the information itself identifies the person) or indirectly (i.e. whoever holds the data can identify the person by combining the information with another piece of information to which they have access).
2.2 In addition to ordinary personal data, there are also special categories of personal data, which demand stronger protection measures. These include data relating to a living person’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, membership of a trade union, and genetic or biometric data.
2.3 We will not routinely collect special category data about you. There may be occasions where we ask you for special category data. In such circumstances, we will ask for your consent and we will be clear about precisely what we intend to use the data for.
2.4 When we ask for consent, you have full control over the decision to give or withhold consent; you will continue to have control afterwards too and can withdraw it at any time.
3. What types of personal data does the CSA process and what do they do with it?
3.1 When you contact us - either by completing an enquiry form on our website, or when you correspond with us by e-mail, telephone or in writing - the CSA will collect different types of personal data from you. This may include contact and identification information, such as name, address and e-mail address.
3.2 We will collect information from you about any queries you raise, which may vary from requests for complaint procedure information to enquiries about becoming a member of the CSA. Depending on the nature of your query, we may ask you for more information.
3.3 Our purpose for processing this personal data is primarily to respond to the query.
3.4 Any personal data processed is supplied by the visitor to the website.
3.5 We may also collect information from and about you when you use this website or any other websites we operate or support. In such cases, please refer to the privacy notice contained on such sites.
3.6 When you visit our website we may automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks and mouse-overs); cookies; and methods used to browse the page.
3.7 We may obtain information about your general internet usage by using cookie files stored on your computer or device (“cookies”). Cookies are text files containing small amounts of information which are downloaded to your computer or device when you visit a website. They help us to improve our site and to deliver a better and more personalised service.
3.9 We use a third party solution to manage our social media interactions. If you send us a private or direct message via social media, the message will be stored by the third party. It will not be shared with any other organisations other than the CSA.
3.10 We use this information to make sure that we are able to deal with any requests or queries and to meet our requirements to members.
3.11 We also use it to ensure that content from our website is presented in the most effective manner for you and your computer or device.
3.13 Users have the right and capacity to access and edit personal data within their profile. When logged into the member’s zone, using the ‘Edit My Profile’ page, you can update / amend the personal data on your profile. You can also edit your communication preferences. Changes you make to your profile will be reflected on the CSA’s CRM system and could therefore affect the member communications you receive from the CSA.
4. What are the legal bases for the CSA’s processing activities?
4.1 When we process personal data, we will always have legal grounds to do so. Data protection law sets out the different legal grounds that allow companies to process personal data, which include:
- in order to perform a contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests
- where something is done in the public interest
4.2 When you contact us – through a form on our website, or through corresponding by e-mail, by telephone or in writing – we will process the information provided on the basis of consent. This means that we’ll need your permission to process personal data.
4.3 When you make contact with us, we will take this as consent to process the personal data that you have provided within your query. It will be processed in accordance with this privacy statement.
4.4 You have the right to withdraw consent at any time – please just contact us to let us know (see 1.4 for our contact information).
5. Who is my data shared with?
5.1 The CSA will not sell, loan or otherwise exchange your details with third party companies for marketing purposes.
5.2 We will only share your information where:
- we need to for the purposes of providing you with products or services you have requested
- we have a public or legal duty to do so e.g. to assist with detecting fraud and tax evasion
- we have a legitimate reason for doing so e.g. to assess your suitability for services
- we have asked you for your permission to share it and you have agreed
5.3 We may occasionally share your data with trusted third parties to help us deliver efficient and quality services. This may include:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you, and to support the delivery of our services, including the provision of the website, storage of personal data and responding to communications
- fraud prevention agencies who will use it to prevent fraud and money laundering
- analytics and search engine providers that assist us in the improvement and optimisation of the website
5.4 Where we share data with third parties or where we use third party systems to store data, we will take necessary precautions to ensure that the third parties have appropriate data protection measures in place.
6. Where is personal data stored?
6.1 The data that we collect from you may be transferred to, and stored at, a destination inside the European Economic Area (“EEA”).
6.2 The CSA, or some of our partners or service providers, may pass information outside of the UK and the European Economic Area (EEA) into jurisdictions where privacy laws, obligations and rights may vary. By submitting your personal data, you agree to this transfer, storing and/or processing.
6.3 For such transfers, we will always ensure that appropriate assurance checks and measures are put in place to protect your privacy.
6.4 This website and the CSA’s customer relationship management (CRM) system is provided by YourMembership.com. Personal data stored on the CRM system is transferred to the United States of America (“US”) which is where YourMembership.com is located. There is an adequacy decision by the European Commission in respect of that country. This means that the US is deemed to provide an adequate level of protection for your personal information.
6.5 To ensure that your personal information does receive an adequate level of protection, we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection:
- contractual arrangements governing data protection and ensuring the EU-US Privacy Shield framework is incorporated and complied with.
6.6 Information provided to us is also stored on secure servers.
6.7 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
7. How long is personal data kept for?
7.1 Personal data supplied through our website will be retained in order to respond to the query.
7.2 Unless requested to remove the personal data, it will be retained for the duration of your use of our services and a reasonable period thereafter.
8. Does the CSA make automated decisions about me or profile me?
8.1 The CSA does not make automated decisions, nor do we carry out profiling.
9. What can I do if I want to see the personal data held about me? What are my rights in relation to my personal data?
9.1 Where we process your personal data you have several rights. These rights are qualified by law, which means that they may not apply in all circumstances and there may be some exemptions.
9.2 You have a right of access to the personal data we process. If you wish to exercise this right and see the personal data that the CSA holds, you can make this request by contacting us by e-mail, in writing or on the telephone. Our contact details are noted above in section 1.4.
9.3 Where we process your data on the basis of consent or the performance of a contract, we may be required to provide some of your personal data to you in a portable format, or to another data controller on your behalf. Only data that you have provided to us is subject to this right. If you would like to exercise this right, please contact us by e-mail, in writing or on the telephone.
9.4 You also have other rights including:
- The right to have inaccurate data corrected. If you know or believe that we are processing inaccurate information about you, you have the right to have that corrected.
- The right to object to our processing. This will depend on the circumstances. We may have a valid legal basis to process your data.
- The right to request that we restrict the data we process, or even have it deleted. Again, this will depend on the circumstances – we are not always required to delete your data or restrict our processing, if we can demonstrate we have a valid legal basis for processing it.
9.5 If you want to exercise one of these rights, please contact us on the details noted in 1.4 so that we can act on your request or explain why we will be continuing to process the data we hold.
10. Who can I complain to if I’m unhappy about the use of my personal data?
10.1 If you would like to complain about our data processing, please contact us by e-mail, in writing or by telephone with details of your complaint. Our contact details are in section 1.4 above.
10.2 Data protection is regulated in the UK by the Information Commissioner’s Office. If you want to know more about data protection, or if you want to complain about our processing of personal data, you can contact them at the details below:
Information Commissioner’s Office
0303 123 1113
10.3 You can also report concerns about companies’ use of your personal data to the Information Commissioner’s Office here: https://ico.org.uk/concerns/
11. Changes to this notice
11.1 From time to time, we will review this notice, for example, where there are changes to laws or regulations, or where we make substantial changes to our processes, procedures or systems.
11.2 In such cases, we will update this notice to reflect the relevant changes and we will make reasonable efforts to contact and update those affected if the changes are substantial in nature.