European Union Privacy Notice
Introduction: Who is Andrews Federal Credit Union?
Andrews Federal Credit Union (“Andrews Federal”, “the “Credit Union,” “We,” “Us,” “Our”) is a federally chartered credit union headquartered in Suitland, Maryland USA. Andrews Federal Credit Union was founded in 1948 for the purpose of helping people improve the quality of their financial lives. Our Credit Union membership includes Washington, DC, Maryland, Virginia, New Jersey, Joint Base Andrews, Joint Base McGuire/Dix/Lakehurst, and military installations in central Germany, Belgium, and The Netherlands; as well as Select Employee Groups throughout Maryland, Virginia, Washington, D.C. and New Jersey.
Andrews Federal provides a full range of financial products to over 120,000 members worldwide with a passion for service, safety, and soundness. We understand that the privacy of your personal information and data is very important to you, and the Credit Union is fully committed to protecting and using the personal data of its members and all individuals lawfully, fairly, and transparently.
In addition to complying with United States federal and state privacy and data protection laws, the Credit Union intends to comply with the European Union’s General Data Protection Regulation (“GDPR”), to the extent applicable to our members currently living in a European Union (“EU”) country, as soon as feasible, and where those obligations do not conflict with United States (“US”) law and regulations with which the Credit Union must comply.
This European Union Privacy Notice applies to any information relating to an identified or identifiable person in the European Union (generally someone living in the European Union) in the Credit Union’s capacity as either controller or processor of that personal information. The Credit Union does not apply GDPR protections and standards to the information of individuals not living in the European Union.
For the purposes of this European Union Privacy Notice, the following definitions apply:
“Personal Data” means any information relating to an identified or identifiable individual potential member, member, former member, joint account holder, beneficiary, employees, and in limited circumstances non-members. Personal Data includes but is not limited to your name, address, identification number such as Social Security Number, and account number.
“Process, “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or making available, alignment or combination, restriction, erasure, or destruction.
This European Union Privacy Notice generally describes Andrews Federal’s policies and practices regarding its collection and use of your Personal Data, and summarizes your privacy rights under the GDPR. Because the GDPR is very lengthy and complex, this European Union Privacy Notice does not detail all GDPR privacy rights or the limits to those rights.
Data Protection Officer
Andrews Federal Credit Union has appointed an internal data protection officer to act as the Credit Union’s data protection officer, who you may contact if you have any questions or concerns about the Andrews Federal’s personal data policies or practices, or its compliance with the GDPR. The following is the contact information for the Data Protection Officer:Andrews Federal Credit Union Data Protection Officer 5711 Allentown Road Suitland, MD 20746 GDPR@andrewsfcu.org +1 301-702-5500
Legal Basis for Processing Personal Data
Andrews Federal Credit Union uses your Personal Data where we have a lawful basis to use it. We process your Personal Data only to provide financial products and services the Credit Union has contractually agreed to provide you, where necessary with your consent, or to comply with laws.
Information We Collect from You and How We Use It
The table below provides some examples of the information we may collect about you and how we would use it. This table is only meant to provide you with some examples of data collection and processing, and is not intended to be a complete list. If you have questions about your data that is not addressed in this table, please contact us.
Collection and Processing of Personal Data
Andrews Federal collects and processes Personal Data only to market and provide financial products and services to individuals, including but not limited to opening and maintaining deposit accounts, making personal loans, and providing payment services.
The Credit Union’s Personal Data subject to the GDPR is:
- Processed lawfully, fairly, and transparently;
- Collected for specified, explicit and legitimate purposes, and not further Processed in a manner incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for the purposes for which they are Processed;
- Accurate, and where necessary, kept up to date;
- As soon as feasible, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are Processed; and,
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical security measures.
Andrews Federal Credit Union also minimizes the risk to your rights and freedoms by not collecting or storing sensitive personal information about you, such as racial or ethnic origin, political opinions, or religious beliefs.
Automated Decision Making
The Credit Union does use some automated decision making tools when opening accounts or reviewing a loan application; the data input to these tools is collected from the membership or loan application that you complete. All automated decisions are subject to a final manual review by a qualified employee of the Credit Union. If you have questions about your membership or loan application and how automated decision making may have been used, please contact us.
Transferring Personal Data from the EU to the US
Andrews Federal Credit Union is headquartered in the United States, and the Personal Data we collect from you may be Processed in the United States. The United States has not received a finding of information security “adequacy” from the European Union under Article 45 of the GDPR. Therefore, the Credit Union relies on the specific grounds in GDPR Article 49 to transfer your Personal Data from the European Union to the United States. In particular, the Credit Union transfers Personal Data collected in the European Union to its Suitland, Maryland, headquarters for Processing only to provide financial products and services the Credit Union has contractually agreed to provide to you, where necessary with your consent, or to comply with laws.
Andrews Federal applies appropriate safeguards to protect the privacy and security of your Personal Data while in transit to the United States.
Disclosure of Personal Data to Third Parties
Andrews Federal Credit Union discloses Personal Data to independent third parties only for the Credit Union’s everyday business purposes to serve you, including but not limited to account opening and maintenance, transaction processing, loan origination and processing, payment processing, credit bureau reporting, responding to court orders or valid subpoenas or other information requests, and to market the Credit Union’s products and services to you. For example, to process your debit or credit card transactions, the Credit Union must share your Personal Data with various payment network providers. Andrews Federal Credit Union never sells your Personal Data to third parties.
Data Subject Rights
Under the GDPR, you have the following rights regarding your Personal Data:
To confirm that the Credit Union is Processing your Personal Data;
To access your Personal Data;
To request correction of inaccurate Personal Data or to have incomplete Personal Data completed;
To require the erasure of your Personal Data, subject to US federal and state record retention laws and regulations, which may require data retention for a specified time;
To block or restrict the Processing of your Personal Data;
To receive your Personal Data in a format which may be transferred to another company;
To object to a decision based solely on automated Processing or your Personal Data, including profiling, unless necessary for entering into, or performing, a contract between you and the Credit Union; and,
To file a complaint with your local European Union state data protection authority.
Personal Data of Children
Andrews Federal Credit Union requires the written consent of a parent or guardian in order to establish any membership for a child under the age of 18; the Processing of that child’s Personal Data is subject to that parent or guardian’s consent as joint account holder. For any individuals accessing the Credit Union’s website, Andrews Federal complies with US laws such as the Children’s Online Privacy Protection Act (COPPA). The Credit Union does not collect or Process any personally identifiable information from or about any child using our website.
Security of Your Information
Andrews Federal Credit Union has implemented appropriate technical and organizational measures to ensure a level of security that appropriately manages the risks of compromise or exposure of our data. We also continually invest in testing and updating our security technology and procedures.
Andrews Federal takes the security of your data very seriously, and has enacted policies and procedures that ensure each Credit Union employee is responsible for protecting the confidentiality of all personal and proprietary data. Such policies also include applicable disciplinary measures that, when applied appropriately, reinforce employees’ privacy responsibilities. Employees are trained regularly on the importance of maintaining the privacy and security of your Personal Data. We engage in regular testing of employees to ensure they are vigilant and aware of potential attempts to compromise our data.
Andrews Federal’s information security policies, processes or technology do not guarantee absolute security of your Personal Data. You should take all normal personal information security steps to protect your Personal Data such as using and not sharing your secure passwords, closing browsers after use, and not using insecure public networks.
Data Storage and Retention
Andrews Federal Credit Union retains your Personal Data and account documents only for as long as it is required to do so under United States federal and state law applicable to the Credit Union.
Changes and Updates to the Privacy Notice
Andrews Federal Credit Union and its membership, products and services change from time to time, and information security threats and security technologies also constantly evolve. Accordingly, we reserve the right to amend this European Union Privacy Notice at any time, for any reason, without notice to you, other than the posting of the amended European Union Privacy Notice on our website. You should check our website frequently to see the current European Union Privacy Notice that is in effect and any changes we may have made to it.
Questions, Concerns or Complaints
If you have any questions, concerns, or complaints about your Personal Data and Andrews Federal Credit Union, or this European Union Privacy Notice, please contact Andrew’s Data Protection Officer.