Privacy Notice

WHO ARE WE?

“Cardtronics” is the Cardtronics group of companies, including Cardtronics Plc and all of its subsidiaries. The Group is comprised of a number of business entities and while those entities operate in a number of different ways and in different jurisdictions, this document sets out the general principles in accordance with which Cardtronics will collect, process and process your data. We will let you know which of the entities of the group you will have a direct relationship with when you participate with us with a view to obtaining a product or service. When we mention Cardtronics, “we”, “us” or “our” in this privacy notice, we are referring to the relevant Company in the Cardtronics group responsible for processing your data.

It is important that you read this privacy notice, just like any other privacy notice or fair processing notice we may provide on certain occasions when we are collecting or processing your personal data so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not designed to replace them.

We offer tailor-made solutions to boost retail sales, ensuring a greater flow of customers and an increase in the average expenditure per visit.

DATA PRIVACY MANAGER

In addition, we have appointed a data privacy manager who is responsible for overseeing questions related to this privacy notice. If you have any questions about this privacy notice, including requests to exercise your rights, please contact the Data Privacy Officer using the details provided below.

Privacy Notice

PRIVACY NOTICE

This privacy notice is to let you know how Cardtronics will take care of your personal information. This includes what you tell us about yourself and what we learn from having you as a customer. This notice explains how we do this and explains your rights to privacy and how the law protects you. Personal data or personal information means any information about a person from which that person can be identified. Data where the identity has been deleted (anonymous data) is not included.

We may collect, use, store and transfer different types of personal data about you that we have grouped as follows:

WHAT PERSONAL DATA DO WE COLLECT?

We collect contact information in each case and then the additional information required for the purposes of fulfilling the relationship you have with Cardtronics, which may, in the case of an employment relationship, include special categories of data.

We also collect, use and share demographic or statistical data. This can be derived from your personal data, but it is not considered personal data in the law, since this data does not reveal your identity directly or indirectly. For example, we can aggregate usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data, so that you can directly or indirectly identify you, we treat the combined data as personal data that will be used in accordance with this privacy notice.

FROM WHERE WE COLLECT YOUR PERSONAL DATA FROM:

We will collect your personal data through any of our Cardtronics group companies:

  • By filling out a form on any of our group business websites
  • When you enter into a contract with Cardtronics
  • When providing information in emails or letters
  • When you talk to us on the phone
  • When you request any of our services
  • When you interact with our website, we may automatically collect technical data about your equipment, actions and browsing patterns. We collect this personal data through the use of cookies, server logs and other similar technologies. We may also receive your technical information if you visit other websites that use our cookies.

We may also collect data from you third parties we have an association with, including:

  • Fraud prevention agencies
  • The Government and law enforcement agencies
  • Public sources of information, including DVLA, Cadastre and House companies
  • Background checks and other agents working on our behalf

HOW TO USE YOUR PERSONAL DATA?

Here is a list of all the ways we will use your personal information, and the legal basis for collecting and processing the data.

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we should use it for another reason and reason that is compatible with the original purpose. If you would like an explanation of how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for purposes other than the issue, we will notify you and explain the legal basis that allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above regulations, when this is required or permitted by law.

WHO DO WE SHARE YOUR DATA WITH?

We may share your personal data with the parties listed below for the purposes set out in the table above.

  • Internal third parties: other companies in the group that act as Cardtronics jointly or as processors or controllers and those that provide system administration and other services for the group and its customers.
  • External third parties: suppliers, who act as processors that provide services to Cardtronics and its customers.
  • Professional advisors who act as joint processors or controllers, including lawyers, bankers, fraud and other crime prevention agencies, auditors and insurers.
  • Customs and Revenue Taxes, HMR regulators and other authorities that act as joint processors or controllers that require notification of certain activities.
  • Agents and Advisors we use to help execute your accounts and services, collect what you owe and explore new ways of doing business
  • The third parties to whom we may choose to sell, transfer or combine parts of our business or assets. Alternatively, we may try to acquire other companies or combine them. If a change occurs in our business, then the new owners will be able to use your personal data in the same way as set out in this privacy statement

We require that all third parties respect the security of your personal data and treat it in accordance with the law. We cannot allow our third-party service providers to use your personal data for their own purposes and we are only allowed to process your personal data for specific purposes and in accordance with our instructions.

HOW LONG DO WE KEEP YOUR INFORMATION?

We will keep your personal information as long as you are a Cardtronics customer. We will only keep your personal data after this, as long as necessary to fulfill the purposes for which we charge, including for the purpose of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm caused by the unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes by other means, and the applicable legal requirements.

After you stop being a customer, we may keep your data for one of these reasons:

  • To respond to any questions or complaints.
  • To show that we have treated him fairly.
  • To keep records in accordance with the rules that apply to us.

THE LAW PROTECTS HIM

Protecting your data privacy is not only a legal requirement for Cardtronics, it's also important to us.

Data Protection Act says that we are authorized to collect and use personal information only if we have a good reason to do so. Therefore, we can only collect, store and use your data:

  • To fulfill the contract we have, for example, to ensure that the right amounts are paid to the right person
  • When it is our legal duty to do so, for example, including keeping audit records or other purposes, or
  • When it is in our legitimate business or business interest, including for example KYC or “know your customer”, to ensure that we are hiring the right person or appropriate organization, or
  • When you give your consent.

Generally, we do not rely on consent as a legal basis for processing your personal data. In most cases, we will need to collect and process your data in accordance with a contractual relationship you have with Cardtronics or on the basis of a legitimate business interest. Please note that we may process your personal data for more than one legal evidence, depending on the specific purposes for which we are using your data. Please contact us if you need more details about the specific legal ground we rely on to process your personal data when more than one piece of evidence was presented in the table below. If we rely on a legitimate interest to process your data, we will carefully evaluate the extent to which the processing is necessary and we will ensure that our business interests do not infringe your own interests and fundamental rights.

DATA AND ATM (ATM)

When you use one of our cash machines, you should know that your card details can be captured and shared with your card issuer, in order to validate the requested transaction. Your card details along with the details of the requested transaction will be used by Cardtronics, a number of third-party service providers and your card issuer to authenticate and authorize or deny the transaction request; Cardtronics does not use any form of automated decision-making in this process, but other third parties and/or your card issuer may. The details that Cardtronics collects from your card as part of a transaction have been anonymized by your card issuer and Cardtronics has no means of reconciling your card number (which is more anonymous and encrypted) with a living person. As such, Cardtronics does not consider the card and the transaction details to be personal data for the purposes of data protection law, but this also means that it cannot identify Cardtronics in the event of a dispute over an ATM transaction - If you have any problems using one of our ATMs, you must first contact your card issuer to submit a “LINK Discrepancy Form”.

Please note that Cardtronics may, as part of the transaction validation process, be asked by the card issuer to keep the card inserted in the ATM. This can be, as a consequence of the card having expired, the card being abused, where the wrong PIN number has been tried an incompatible number of times, or when a non-compatible card has been inserted. Please note that in accordance with the rules and regulations of the LINK, Cardtronics cannot return captured ATM cards or any ATM cards that are securely destroyed upon collection to users. If an ATM has held your card, in most cases this will be at the request of your card issuer and you should contact them in the first instance.

Our websites may contain links to third-party websites, plug-ins and applications. By clicking on those links or activating connections, you can authorize third parties to obtain or share information about you. We do not control those third-party websites and are responsible for their privacy statements. When you leave our website, we urge you to read the privacy policy of each website you visit.

SENDING DATA OUTSIDE THE EEA

We may share your personal data within the Cardtronics group. This may involve the transfer of your data outside the European Economic Area (EEA). In addition, some of our third-party service providers are located outside the EEA or use cloud-based services that run on servers located outside the EEA. We will only send your data outside the EEA:

  • Follow their instructions.
  • Comply with a legal duty.
  • Work with our agents and advisors that we use to help run your business accounts and services.

If we transfer information to our agents or advisors outside the EEA, we will ensure that it is protected in the same way as if it were being used in the EEA.

Please contact us if you would like more information about the specific mechanism used when transferring your personal data outside the EEA.

IF YOU CHOOSE NOT TO PROVIDE US WITH THIS INFORMATION

We may need to collect personal information by law or under the terms of a contract we have with you. If you choose not to provide this personal information, that may delay or prevent us from meeting our obligations. It may also mean that we are unable to perform services necessary to run your accounts or business services. This could mean that we might have to cancel a product or service that you have with us.

Any data collection that is optional will be clarified at the time of collection.

Marketing

We may use your personal information to inform you about relevant products and offers. This is what we mean when we talk about 'marketing'. The personal information we hold about you is comprised of what you tell us, and the data we collect when you use our services or from third parties with whom we work. We can only use your personal information to send you marketing messages if we have your consent or a “legitimate interest”. Which is when we have a business or business reason to use your information. It should not be unfairly against what is just and is found for your best benefit. You can ask us to stop sending marketing messages, by contacting us at any time. If your mind changes, you can update your options at any time by contacting us.

CCTV

Cardtronics operates closed circuit television (CCTV) in and around Cardtronics facilities and assets to provide you with a safe environment for staff, visitors and the general public and also to protect CTUK assets and assets. We operate with CCTV for:

  • Dissuade those who have criminal intent.
  • Assist in the prevention and detection of crime;
  • Facilitate the identification, arrest and prosecution of offenders
  • Monitor the safety of CTUK buildings and vehicles;
  • Identify problems with the movement of the CTUK vehicle around buildings.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized, altered or disclosed manner. In addition, we may limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data in accordance with our instructions and you are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and you will be notified as well as any applicable regulator of a breach where we are legally required to do so.

YOUR LEGAL RIGHTS

You have the right to:

Request a Copy of Your Personal Data

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Contact details are below.


Request the correction of your personal information.

This allows you to have any incomplete or inaccurate data corrected, although we may need to verify the accuracy of the new data you provide us. The contact details are detailed below.


Request the deletion of your personal data.

This allows you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or delete your personal data where you have exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to delete your personal data to comply with local law. Please note, however, that it is not always possible to comply with your deletion request for specific legal reasons and they will be notified, if any, at the time of your request.

To object to the processing of your personal data where we are based on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing in this area, as you consider that it impacts your fundamental rights and freedoms. You also have the right to object to where we are processing your personal data for direct marketing purposes. In some cases, we may be able to demonstrate that we have genuine legitimate reasons for processing your information that override your rights and freedoms. The contact details are detailed below.


Request restriction of the processing of your personal data.

This allows you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to indicate the accuracy of the data; (b) where our use of data is illegal, but you do not want us to delete it; (c) where we are needed to retain the data, even if you no longer need to indicate, exercise or defend legal claims; or (d) you have objected to our use of your information, but we need to verify if we have legitimate reasons to use it. The contact details are detailed below.


Request the transfer of your personal data to yourself or to a third party.

We will provide you, or a third party you have chosen, with your personal data in a structured form, generally in machine-readable format. Please note that this right only applies to automated information that you initially provided via consent to use or where we use that information to perform a contract with you. The contact details are detailed below.


Withdrawal of Consent

You can withdraw your consent at any time where we rely on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not provide you with certain products or services. We will let you know if this is the case when you withdraw your consent. The contact details are detailed below.

HOW TO GET A COPY OF YOUR INFORMATION

You can access your personal information by completing the form here or by writing to us at the following address:

Data Protection Team TeamCardtronics UK Ltd, PO Box 476, Hatfield, AL10 1DT

We will respond to requests for access from individuals within 30 days.

HOW TO COMPLAIN

You also have the right to complain to the Information Commissioner's Office. Full details of how to do this are on the Information Commissioner's website. We would, however, like to appreciate the opportunity to address your concerns before you approach ICO, so please contact us in the first instance.

POSSIBLE FUTURE CHANGES

Data privacy laws will change on May 25, 2018. We're working with our industry to improve the way we manage your personal data. We will update this notice with changes relevant to the processing of your data as this occurs.

Cookies

To learn more about how we use cookies, see our Cookie notice.

This Privacy Policy has been in effect since April 2018.