For the purpose of the General Data Protection Regulation, PenFed is a Data Controller, as we determine the means and/or purposes of the processing of Personal Information when performing services. PenFed is located at 7940 Jones Branch Drive, McLean, Virginia 22102, U.S.A.
Personal Information Collected
When you access or use the Services, we may collect Personal Information from you. "Personal Information" refers to any information relating to an identified or identifiable individual who is the subject of the information. Depending on the products or services we provide to you, we may collect the following types of Personal Information about you:
Information You Provide Directly To Us:
We collect any information you voluntarily provide when using our Services, including, for example, your name, address, telephone number, email address, Social Security number, account balances, credit history, payment history, transaction history, overdraft history, as well as any information about you that is associated with or linked to, or could be linked to, any of the foregoing data.
When you use our Services, our servers automatically record information ("Log Data"), including information that your browser sends whenever you visit Sites or that your applications (Apps) send when you're using it. This Log Data may include your Internet Protocol (IP) address, browser type and settings, the date and time of your request, how you used the Services, and pixel data, and cookie data.
In addition to Log Data, we may also collect information about the device you're using to access the Services, including what type of device it is, what operating system you're using, device settings, unique device identifiers and crash data. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
Information From Members:
In some cases, such as when a member designates you as a joint account holder, authorized signatory, beneficiary, guardian, custodian, or agent, we receive your personal information from that member.
Information From Other Sources:
We may also obtain information about you from other sources and combine that information with information we collect from you directly. For example, we collect your Personal Information from international sanctions lists, third-party websites, government authorities, consumer reporting agencies, affiliates, other companies, or business partners for our everyday business purposes such as to verify your identity, comply with legal requirements, combat fraud, process your transactions, maintain your account(s), or determine your eligibility for products or services.
Children's Personal Information
PenFed restricts the personal information it collects about children to the information their parents or guardians provide to open an account in their name or designate them as beneficiaries on an account. We do not market products or services to children. We do not knowingly collect personal information from individuals under the age of 16 on any Sites.
How We Use Personal Information
PenFed uses your Personal Information as necessary (a) in order to perform its obligations under the applicable membership agreements, disclosures, or other documents you agree to; (b) where legally required; and (c) where necessary for the legitimate performance of our business interests provided there is no overriding impact on your interests or rights.
Additionally, PenFed processes your Personal Information for the following purposes:
- providing you with products and/or services that you have requested and communicating with you about those products and services. This is generally required under the contract we have with you or because it is in our legitimate interest as part of the products and services we provide to you;
- developing and improving our Services and your experience. It is in our legitimate interest to process your Personal Information for this purpose and we will only process your personal data in accordance with your preferences which can be accessed via your account settings;
- providing a personalized service. We will generally only do this where it is in our legitimate interest or where you have not objected or withdrawn any prior consent given;
- communicate with you in ways that you have agreed to receive communications. We do this in connection with our contract with you or because it is in our legitimate interest as part of the products and services we provide to you. You will always be able to unsubscribe from electronic messages;
- processing and dealing with any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the products and services we provide to you;
- we may also be required to disclose your Personal Information to authorities who can request this information by law that is binding on PenFed, e.g. for the prevention and detection of crime, the capture or prosecution of offenders and the assessment or collection of taxes. We will disclose such information in order to comply with applicable legal obligations;
- we may monitor and analyze the use of our products and services for risk assessment and control purposes (including detection, prevention, and investigation of fraud);
- conduct crime prevention and compliance activities such as audit and reporting, maintenance of accounting and tax records, fraud prevention and anti-money laundering (AML) efforts, and measures relating to sanctions, antiterrorism laws and regulations, and fighting crime. This includes know your client (KYC) screening (which involves identity checks and verifying address and contact details), politically exposed persons screening (which involves screening client records against internal and external databases to establish connections to ‘politically exposed persons' (PEPs) as part of client due diligence and onboarding) and sanctions screening (which involves the screening of clients and their representatives against published sanctions lists). We will use and disclosure such information only as necessary to comply with legal compliance obligations or fulfill our legitimate interests in preventing fraudulent or criminal activities; and
When and How We Share Information with Others
The Personal Information PenFed collects from you is stored in one or more databases hosted by PenFed or its contracted third parties located in the United States (U.S.). These third parties generally do not use or have access to your personal information for any purpose other than cloud storage, retrieval, or to facilitate a transaction.
Your Personal Information Rights
Right of Access.
You have the right to request access to your Personal Information from PenFed, including, but not limited to, confirmation as to whether PenFed is processing your Personal Information and the following:
- the purposes of the processing;
- the categories of Personal Information concerned
- the recipients or categories of recipient to whom the Personal Information have been or will be disclosed;
- where possible, the envisaged period for which the Personal Information will be stored;
- where the Personal Information has not been collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling.
Right to Rectification.
You have the right to rectify or correct inaccurate or incomplete Personal Information concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Information completed.
Right to Erasure.
You have the right to request that we erase your Personal Information where:
- the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw your consent and there are no other legal grounds for the processing;
- you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing;
- the Personal Information has been unlawfully processed; or
- the Personal Information has to be erased for compliance with a legal obligation applicable to us.
Right of Restriction.
Provided PenFed is not required to use your Personal Information to comply with legal or business obligations, you have the right to restrict or limit how we use your Personal Information where:
- you contest the accuracy of the Personal Information, for a period enabling us to verify the accuracy;
- the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead;
- we no longer need the Personal Information for the purposes of the processing, but the processing is required for the establishment, exercise or defense of legal claims;
- you exercise your right to object (see below) pending verification of whether our legitimate grounds override those of yours.
Right to Withdraw Consent.
Should we ask for your consent for the processing of your Personal Information, you have the right to withdraw consent. If you do not provide information that we request, we may not be able to provide (or continue providing) relevant products or services to you or otherwise do business with you.
Right to Object.
You also have the right to object to how we use your Personal Information, provided there are no compelling and overriding legitimate grounds for the use of your Personal Information. You also have a right to object to automated decision-making, including profiling and direct marketing. If PenFed uses automated processing to determine your eligibility for any of its products or services, we will generally give you an opportunity to provide consent, as necessary, or opt-out of such activity. If you consent, you will still retain the right to contest the results of the processing and to have a person review those results.
Right to Lodge a Complaint.
If you are not satisfied with our response, you have the right to complain to or seek advice from an appropriate supervisory authority in the EEA.
Automated Decisions, Profiling and Behavioral Advertising
PenFed may use automated decision-making tools and profiling to serve our legitimate interests, to perform our contract with you, and provide you with products and services in an efficient manner. For example, automated decision-making tools or profiling may be used to assess your eligibility for membership or evaluate your application for credit. If we use your data for automated decision-making or profiling, you will be provided with an opportunity to provide consent, as necessary, or opt-out of such activity. If you do not provide necessary consent or opt-out of these activities, we may not be able to provide or continue providing relevant products and services or otherwise do business with you.
Advertising and Analytics Services Provided by Others
The security of your information is important to PenFed. We have implemented commercially reasonable technical, physical and administrative security measures intended to protect your Personal Information from unauthorized access, disclosure, alteration or destruction. Please keep in mind, however, that no data transmitted over the Internet is one hundred percent secure and any information disclosed online can potentially be collected and used by persons other than the intended recipient.
If you would like to learn more about how we protect your Personal Information, please contact us at the information we provide below.
How Long We Keep Your Personal Information
We keep your personal information for as long as is necessary for the purposes of:
- Maintaining our relationship with you
- Performing an agreement with you
- Complying with a legal or regulatory obligation
- Internal administrative or security needs
International Data Transfers
To better serve you, PenFed or its data processors may require the transfer of your Personal Information across borders as permitted by applicable laws. PenFed has a compelling legitimate interest in the processing and transfer of your Personal Information across borders for internal business purposes including the fulfilment of our contract with you and compliance with applicable U.S. state and federal laws and regulations.
Should you initiate a transaction outside of the U.S. or a transaction that requires the transfer of your Personal Information from a country outside of the U.S., you consent to the transfer of your Personal Information across borders and the processing of your Personal Information as necessary to complete such transactions. You also consent to the storage of your Personal Information on our data servers in the U.S.
Exercising Your Rights
If you have questions or complaints about our treatment of your Personal Information, or about our privacy practices in general, please feel free to contact PenFed's Data Protection Officer at firstname.lastname@example.org or call us toll-free at 1-800-339-9922.