Privacy Policy

Last updated: September 2023. This web version mirrors our official Privacy Notice; the full Privacy Notice (PDF) is the governing document.

Who we are

Trelawny Co-operative Credit Union Limited (“TCCU”, “we”, “us”, “our”) is committed to protecting your privacy. We process your personal data in compliance with Jamaica’s Data Protection Act (the “JDPA”) and any other data protection laws applicable to us. This policy describes how we collect, use, share and store your personal data when you use our website, access our products and services, or interact with our marketing initiatives.

You are free to explore our website without providing any personal data. We only collect personal data from you when you register, subscribe to a service, or complete a form.

The personal data we collect

To conduct business with you, we may collect a range of personal data directly from members, prospective members, visitors and website users, including:

Valid photo ID (passport, driver’s licence or ID card), birth certificate and mother’s maiden name
Taxpayer Registration Number (TRN) and National Insurance Scheme (NIS) number
Address (and proof of address), email address and contact details
Employment status and details, proof of employment and character references
Financial information and transaction records
Politically Exposed Person (PEP) status, and declaration of US citizenship or tax residency where applicable
Image capture via CCTV or recorded sessions

When you use our website, we may also collect information you submit through forms, social media or events; log data used to operate and secure the site; and analytics data (for example, through Google Analytics) to help us improve the site.

How we collect data

We collect personal data directly from you (for example, when you apply to become a member, open an account or transact at our offices), through your use of our website and social channels, and from third parties such as credit bureaus, references, other financial institutions, regulatory bodies and related entities for regulatory purposes or to better serve you.

Our lawful bases for processing

We rely on one or more of the following bases to process your personal data:

Consent — clear, informed and freely given. You may withdraw consent at any time by the method it was given or by contacting our Data Protection Officer.
Contractual obligation — to enter into or fulfil a contract with you.
Legitimate interest — to provide and market our services, where this does not pose a risk to your rights and freedoms.
Legal obligation — including anti-money-laundering checks, fraud prevention, assessing affordability and suitability of credit, and sharing data with law enforcement and regulators.

How we use your personal data

We use your personal data to provide our products and services; process and confirm transactions; manage your use of our services and respond to enquiries; send alerts, updates, security and administrative communications; verify your identity, creditworthiness and the accuracy of information; prevent fraud, money laundering and other criminal activity; trace debtors and recover debts; and for other purposes about which we notify you.

We may disclose your personal data to third parties you ask or consent us to share with, including our partners, affiliates, service providers and professional advisors, and to regulators to demonstrate compliance with legal obligations. These third parties do not retain, share, use or process your personal data beyond the defined purpose of providing our services to you.

Some of our service providers (for example, website hosting and email) may process data outside Jamaica. Where personal data is transferred across borders, we take steps to ensure it remains protected in line with the JDPA.

How we protect your personal data

We use industry-standard security technologies, procedures and organisational measures to protect your personal data from unauthorised access, use or disclosure. These include vulnerability and malware scanning, scanning to PCI standards, SSL encryption of sensitive information, secured networks with restricted access, and processing card transactions through a gateway provider rather than storing them on our servers. No method of transmission or storage is completely secure, so while we use reasonable efforts to protect your data, we cannot guarantee its absolute security.

How long we keep your data

We retain your personal data only for as long as it is needed to provide our services and to meet legal requirements. We typically retain members’ personal data for a minimum of seven years following the date of transaction or the termination of the customer relationship, and may keep it longer where we cannot delete it for legal, regulatory or technical reasons.

Data breaches

We take data breaches seriously and will endeavour to report any breach to the Information Commissioner within the 72-hour deadline set by the JDPA. Where there is likely to be a high risk to your rights, we will endeavour to contact you without undue delay, explaining the nature of the breach, the measures taken to address it, and the contact details of our Data Protection Officer.

Your rights

Under Jamaica’s Data Protection Act, you have the right to:

Access your personal data and request a copy, or that it be transferred to a third party.
Be informed about automated decision-making and request that such decisions be reconsidered with human involvement.
Prevent processing in a specific manner or for a specific purpose.
Rectification — have inaccuracies amended, blocked, erased or destroyed, and request erasure on expiry of any applicable retention period.

To exercise any of these rights, contact our Data Protection Officer using the details opposite. You also have the right to complain to the Office of the Information Commissioner (oic.gov.jm).

Children’s privacy

Our services are not offered to persons under the age of 18 without parental or guardian consent. If you become aware that a child has provided us with information, please contact our Data Protection Officer and we will delete it.

Changes to this policy

We may revise this Privacy Policy from time to time to keep it in line with the evolving regulatory and security landscape. Changes are effective once uploaded to our website, and the date of the latest modification is noted above. Please review this policy periodically.