GDPR policy


This Privacy Policy ("Privacy Policy") is designed to help you understand how Pentagon Federal Credit Union ("PenFed", "we", "us" or "our") collects and processes the information that you share when you use our website located at, and each of their associated domains (together, the "Sites"), our mobile applications (the "Apps,"), and other services of ours that you use when you communicate with us (collectively, the "Services"). This privacy notice is applicable only to individuals located in the European Economic Area ("EEA"). You can view PenFed's general privacy policy by visiting

Data Controller

For the purpose of the General Data Protection Regulation, PenFed is a Data Controller, as we determine the means and/or purposes of the processing of Personal Information when performing services. PenFed is located at 7940 Jones Branch Drive, McLean, Virginia 22102, U.S.A.

Personal Information Collected

When you access or use the Services, we may collect Personal Information from you. "Personal Information" refers to any information relating to an identified or identifiable individual who is the subject of the information. Depending on the products or services we provide to you, we may collect the following types of Personal Information about you:

Information You Provide Directly To Us:

We collect any information you voluntarily provide when using our Services, including, for example, your name, address, telephone number, email address, Social Security number, account balances, credit history, payment history, transaction history, overdraft history, as well as any information about you that is associated with or linked to, or could be linked to, any of the foregoing data.

Log Data:

When you use our Services, our servers automatically record information ("Log Data"), including information that your browser sends whenever you visit Sites or that your applications (Apps) send when you're using it. This Log Data may include your Internet Protocol (IP) address, browser type and settings, the date and time of your request, how you used the Services, and pixel data, and cookie data.

Cookie Data:

Depending on how you're accessing our products, we may use "cookies" (small text files sent by your computer each time you visit our Sites, unique to your PenFed account or your browser) or similar technologies to record Log Data. We use cookies to make your website experience more efficient and personal. You can delete cookies that have already been sent within your browser settings. By disabling certain cookies or enabling your web browser's "Do Not Track" signal or similar mechanism, some of our online features and content may not work properly or be accessible.

Device Information:

In addition to Log Data, we may also collect information about the device you're using to access the Services, including what type of device it is, what operating system you're using, device settings, unique device identifiers and crash data. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.

Information From Members:

In some cases, such as when a member designates you as a joint account holder, authorized signatory, beneficiary, guardian, custodian, or agent, we receive your personal information from that member.

Information From Other Sources:

We may also obtain information about you from other sources and combine that information with information we collect from you directly. For example, we collect your Personal Information from international sanctions lists, third-party websites, government authorities, consumer reporting agencies, affiliates, other companies, or business partners for our everyday business purposes such as to verify your identity, comply with legal requirements, combat fraud, process your transactions, maintain your account(s), or determine your eligibility for products or services.

Children's Personal Information

PenFed restricts the personal information it collects about children to the information their parents or guardians provide to open an account in their name or designate them as beneficiaries on an account. We do not market products or services to children. We do not knowingly collect personal information from individuals under the age of 16 on any Sites.

How We Use Personal Information

PenFed uses your Personal Information as necessary (a) in order to perform its obligations under the applicable membership agreements, disclosures, or other documents you agree to; (b) where legally required; and (c) where necessary for the legitimate performance of our business interests provided there is no overriding impact on your interests or rights.

Additionally, PenFed processes your Personal Information for the following purposes:

  • providing you with products and/or services that you have requested and communicating with you about those products and services. This is generally required under the contract we have with you or because it is in our legitimate interest as part of the products and services we provide to you;
  • developing and improving our Services and your experience. It is in our legitimate interest to process your Personal Information for this purpose and we will only process your personal data in accordance with your preferences which can be accessed via your account settings;
  • providing a personalized service. We will generally only do this where it is in our legitimate interest or where you have not objected or withdrawn any prior consent given;
  • communicate with you in ways that you have agreed to receive communications. We do this in connection with our contract with you or because it is in our legitimate interest as part of the products and services we provide to you. You will always be able to unsubscribe from electronic messages;
  • processing and dealing with any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the products and services we provide to you;
  • we may also be required to disclose your Personal Information to authorities who can request this information by law that is binding on PenFed, e.g. for the prevention and detection of crime, the capture or prosecution of offenders and the assessment or collection of taxes. We will disclose such information in order to comply with applicable legal obligations;
  • we may monitor and analyze the use of our products and services for risk assessment and control purposes (including detection, prevention, and investigation of fraud);
  • conduct crime prevention and compliance activities such as audit and reporting, maintenance of accounting and tax records, fraud prevention and anti-money laundering (AML) efforts, and measures relating to sanctions, antiterrorism laws and regulations, and fighting crime. This includes know your client (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons' (PEPs) as part of client due diligence and onboarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists). We will use and disclosure such information only as necessary to comply with legal compliance obligations or fulfill our legitimate interests in preventing fraudulent or criminal activities; and
  • to make automated decisions and profiling to provide more tailored products and services, to provide more consistent and accurate information, to provide you with information more efficiently, to perform our contract with you, and to serve our legitimate interests. For example, we may use automated decisions and profiling to assess your eligibility for membership, products, or services offered at the credit union. We may also use automated decisions and profiling on our Sites to improve our services and your experience. For more information on automated decisions and profiling, including instructions on how to opt-out of such activities, please see the sections in this Privacy Policy regarding automated decisions, profiling, and behavioral advertising.

When and How We Share Information with Others

The Personal Information PenFed collects from you is stored in one or more databases hosted by PenFed or its contracted third parties located in the United States (U.S.). These third parties generally do not use or have access to your personal information for any purpose other than cloud storage, retrieval, or to facilitate a transaction.

We sometimes share the information we collect from and about you with other third parties in accordance with our general privacy policy. Additionally, we share information with public and governmental authorities as required by law or as necessary to investigate illegal conduct or misuse.

Your Personal Information Rights

Right of Access.

You have the right to request access to your Personal Information from PenFed, including, but not limited to, confirmation as to whether PenFed is processing your Personal Information and the following:

  • the purposes of the processing;
  • the categories of Personal Information concerned
  • the recipients or categories of recipient to whom the Personal Information have been or will be disclosed;
  • where possible, the envisaged period for which the Personal Information will be stored;
  • where the Personal Information has not been collected from you, any available information as to their source;
  • the existence of automated decision-making, including profiling.

Right to Rectification.

You have the right to rectify or correct inaccurate or incomplete Personal Information concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Information completed.

Right to Erasure.

You have the right to request that we erase your Personal Information where:

  • the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw your consent and there are no other legal grounds for the processing;
  • you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing;
  • the Personal Information has been unlawfully processed; or
  • the Personal Information has to be erased for compliance with a legal obligation applicable to us.

Right of Restriction.

Provided PenFed is not required to use your Personal Information to comply with legal or business obligations, you have the right to restrict or limit how we use your Personal Information where:

  • you contest the accuracy of the Personal Information, for a period enabling us to verify the accuracy;
  • the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead;
  • we no longer need the Personal Information for the purposes of the processing, but the processing is required for the establishment, exercise or defense of legal claims;
  • you exercise your right to object (see below) pending verification of whether our legitimate grounds override those of yours.

Right to Withdraw Consent.

Should we ask for your consent for the processing of your Personal Information, you have the right to withdraw consent. If you do not provide information that we request, we may not be able to provide (or continue providing) relevant products or services to you or otherwise do business with you.

Right to Object.

You also have the right to object to how we use your Personal Information, provided there are no compelling and overriding legitimate grounds for the use of your Personal Information. You also have a right to object to automated decision-making, including profiling and direct marketing. If PenFed uses automated processing to determine your eligibility for any of its products or services, we will generally give you an opportunity to provide consent, as necessary, or opt-out of such activity. If you consent, you will still retain the right to contest the results of the processing and to have a person review those results.

Right to Lodge a Complaint.

If you are not satisfied with our response, you have the right to complain to or seek advice from an appropriate supervisory authority in the EEA.

If you would like to exercise any of your rights mentioned above, please contact us at the contact information listedin this Privacy Policy. We will consider and process your request within a reasonable period of time. Please be aware that under certain circumstances, the GDPR may limit your exercise of these rights. Further, your exercise of these rights may be subject to PenFed's membership disclosures and agreements and legal or regulatory obligations with which PenFed is required to comply.

Automated Decisions, Profiling and Behavioral Advertising

PenFed may use automated decision-making tools and profiling to serve our legitimate interests, to perform our contract with you, and provide you with products and services in an efficient manner. For example, automated decision-making tools or profiling may be used to assess your eligibility for membership or evaluate your application for credit. If we use your data for automated decision-making or profiling, you will be provided with an opportunity to provide consent, as necessary, or opt-out of such activity. If you do not provide necessary consent or opt-out of these activities, we may not be able to provide or continue providing relevant products and services or otherwise do business with you.

Advertising and Analytics Services Provided by Others

We may use analytics providers to understand how visitors engage with our Sites. Our analytics providers include Google and Quantcast. For additional information on how these providers use your information, please visit Google's privacy policy at and Quantcast's privacy policy at We may also allow others to provide you with advertisements on our behalf across the Internet and to provide analytics services. These entities may use cookies, web beacons and other technologies to collect information about your use of the Sites and other websites, including your IP address, web browser, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Sites and other websites and better understand your online activity.


The security of your information is important to PenFed. We have implemented commercially reasonable technical, physical and administrative security measures intended to protect your Personal Information from unauthorized access, disclosure, alteration or destruction. Please keep in mind, however, that no data transmitted over the Internet is one hundred percent secure and any information disclosed online can potentially be collected and used by persons other than the intended recipient.

If you would like to learn more about how we protect your Personal Information, please contact us at the information we provide below.

How Long We Keep Your Personal Information

We keep your personal information for as long as is necessary for the purposes of:

  • Maintaining our relationship with you
  • Performing an agreement with you
  • Complying with a legal or regulatory obligation
  • Internal administrative or security needs

International Data Transfers

To better serve you, PenFed or its data processors may require the transfer of your Personal Information across borders as permitted by applicable laws. PenFed has a compelling legitimate interest in the processing and transfer of your Personal Information across borders for internal business purposes including the fulfilment of our contract with you and compliance with applicable U.S. state and federal laws and regulations.

Should you initiate a transaction outside of the U.S. or a transaction that requires the transfer of your Personal Information from a country outside of the U.S., you consent to the transfer of your Personal Information across borders and the processing of your Personal Information as necessary to complete such transactions. You also consent to the storage of your Personal Information on our data servers in the U.S.

As a general matter, PenFed endeavors to employ suitable safeguards to protect the privacy and security of your Personal Information and to use it in a manner consistent with this Privacy Policy.

Exercising Your Rights

If you have questions or complaints about our treatment of your Personal Information, or about our privacy practices in general, please feel free to contact PenFed's Data Protection Officer at or call us toll-free at 1-800-339-9922.