Privacy Policy


The following privacy policy provides an overview how your data is recorded and processed. This policy applies to GC Factoring Ltd.

With the following information, we would like to give you an overview of how we process your personal data as well as your rights under the Data Protection Act. What specific data is processed in detail and how it will be used depends on the requested or agreed services.



1. Who is responsible for data processing and who can I contact?


Contact details as follows:


Guildford Business Park, Building 2


Surrey GU2 8XG

E-mail: [email protected] 


You can reach our operational data protection officer at:


Data Protection Officer

Guildford Business Park, Building 2


Surrey GU2 8XG

E-mail: [email protected] 



2. What sources and data do we use? 


We process personal data that we receive from our customers as part of our business relationship. In addition, we process – as far as necessary for the provision of our services – personal data that we might collect from publicly accessible sources (e.g. debtor directories, land registers, trade and association registers, press, internet) or that was obtained from our distribution partners or from other third parties (e.g. a credit agency). Finally, we process personal data of our shareholders, shareholder representatives, guests of the Annual General Meeting and analysts on the basis of our legal obligations.


Relevant personal data includes:

  • Personal details (name, address, birthday, place of birth and nationality)
  • Contact details (telephone, e-mail address)
  • Verification data (e.g. ID data)
  • Authentication data (e.g. signature sample)
  • Order data (e.g. payment order)
  • Data from the fulfilment of our contractual obligations (e.g. sales data in payment transactions)
  • Information about your financial situation (e.g. creditworthiness data, scoring/rating data, source of assets)
  • Advertising and sales data (including advertising scores), documentation data (e.g. consultation minutes)
  • Data in connection with the shareholder position, such as the number of shares, type of shares, type of share ownership or information on the bank holding your shares.
  • Data in connection with the Annual General Meeting of GRENKE AG such as the number of the admission ticket, powers of attorney, instructions, etc.

and other data comparable to the aforementioned categories.



3. What do we process your data for (purpose of processing) and on what legal basis?


We process personal data in accordance with the provisions of the European General Data Protection Regulation and the Data Protection Act 2018 (GDPR):

a. For the fulfilment of contractual obligations (Article 6 (1) (b) of the GDPR) 

Data is processed in order to provide financial services as part of the execution of our contracts with our customers or to carry out pre-contractual actions, which are carried out upon request. The purposes of data processing are primarily geared towards the specific product (e.g. leasing, factoring) and may include, but are not limited to, needs analysis, consulting and to perform transactions. Further details on the purposes of data processing can be found in the relevant contract documents and terms and conditions. 

b. For the purposes of legitimate interests (Article 6 (1) (f) of the GDPR)
As far as necessary, we process your data beyond the actual fulfilment of the contract for the protection of our legitimate interests or those of third parties, in particular: 

  • Consultation and exchange of data with credit agencies (e.g. Experian) to identify credit risk or default risk
  • For the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide data to credit reference agencies data concerning the request and the applicant. The agencies will make the data saved about you available to us through direct electronic mail provided that we have given convincing evidence that our interest in this is legitimate.

The credit agencies will process the data received and use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.


For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agencies, please refer to the information provided about the respective agencies using the following links:
For Equifax, go to
For CoCredo, go to 


  • Prevention and clarification of criminal acts, assertion of legal claims and defence during legal disputes

We will send personal data collected for the request for, execution and ending of this business relationship to an asset management company, collection agents or bailiffs. For behaviour not in compliance with the contract or for fraudulent behaviour to our solicitors.


Please refer to the information provided about the respective companies using the following links:
For EBM Plc, go to 
For PDT Solicitors, go to

  • Checking business needs for the purposes of direct sales approaches and marketing opportunities
  • Guaranteeing IT security and safeguarding IT operations at our company
  • Building and plant safety measures (e.g. access control)
  • Measures to guarantee domestic authority
  • Quality assurance to optimize internal business processes
  • Business management measures and measures to develop products and services


c. On the basis of your consent (Article 6 (1) (a)  GDPR)
Insofar as you have given us your consent to process your personal data for specific purposes (e.g., disclosure of data within the Group, or analysis of payment transaction data for marketing purposes), the legality of this processing is assured on the basis of your consent. Consent that has been issued can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into effect, i.e. before 25 May 2018. The revocation of consent does not affect the legality of the data processed until the revocation.
d. Based on legal requirements (Article 6 (1) (c) GDPR), legitimate interest (Art. 6 (1) (f) GDPR) or in the public interest (Article 6 (1) (e) GDPR)
If we are required to meet various legal requirements (i.e. the provisions of the Banking Act 2009, Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the European Central Bank, the European Banking Authority, the Bank of England and Financial Supervisory Authority). The purposes of the processing include, but are not limited to, the creditworthiness check, identity and age checks, prevention of fraud and money laundering, the fulfilment of tax auditing and reporting obligations, and the assessment and management of risks.


Due to legal obligations as well as due to the legitimate interests in the context of the organization and orderly conduct of Annual General Meetings, we also process personal data of shareholders, shareholder representatives and, if applicable, guests at the Annual General Meeting of GRENKE AG (in particular name and contact details). The processing of this data is necessary for the participation of shareholders, shareholder representatives and possible guests in the Annual General Meeting or the holding of analyst events. Personal data is stored in accordance with legal obligations and then deleted.



4. Who receives my data?


Within our organisation, the entities that gain access to your data are those who need it in order to fulfil our contractual and legal obligations. Our service providers and vicarious agents may also receive data for these purposes. These are companies in the categories of financial services, IT services, logistics, printing services, telecommunications, debt collection, advising and consulting, as well as sales and marketing.

With respect to the disclosure of data to recipients outside our company, we may only disclose information about you if we are required to do so by law or if you have given us your consent to do so. Under these conditions, recipients of personal data may be, for example: 

  • Public bodies and institutions (e.g. the Bank of England, Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities) if there is a statutory or official obligation to do so. 
  • Other credit and financial service providers or similar institutions to whom we send personal data in order to maintain the business relationship with you (e.g. correspondent banks, credit agencies).
  • Other companies within our Group conducting a risk controlling process because of a statutory or official requirement to do so.
  • Other companies within our Group from which information can be provided that are suitable to the company’s interests and are confirmed as a legitimate interests.

 Other data recipients may be those to whom you have given us your consent for your data to be submitted.



5. Is data transmitted to a third-party country or to an international organisation?


A transfer of data to bodies in countries outside the European Economic Area (so-called third-party countries) takes place, as far as:

  • this is required in order to execute your orders (e.g. payment orders),
  • this is required by law (e.g. in order to comply with tax reporting obligations), or 
  • you have given us your consent.



6. How long will my data be stored? 


Unless explicitly stated in this privacy statement, the usage and registration data stored with us is deleted as soon as it is no longer required for its intended use and the deletion does not conflict with any statutory retention obligations. 

We process and store other personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which is designed to last for years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is necessary for the following purposes: 

  • Fulfilment of a duty to preserve the data under commercial and tax laws, i.e. the UK Commercial Law, UK Company Law, HM Revenue & Customs, the UK Banking Act (2009), the Money Laundering Act and the UK Securities Trading Act (2001). These laws require data to be kept/documented for 6 years after the end of the finance agreement.
  • Retaining evidence in accordance with the statutory periods of limitation that apply.



7. Which data protection rights do I have?


Every affected person has with respect to us

  • the right of access under Art. 15 GDPR,
  • the right to rectification under Art. 16 GDPR,
  • the right to erasure under Art. 17 GDPR,
  • the right to restrict the processing under Art. 18 GDPR,
  • the right to object from Art. 21 GDPR,
  • and the right to data portability under Art. 20 GDPR.

Each individual also has a right to complain to the Information Commissioner’s Office

You may withdraw your consent to your personal data being processed by us at any time. This also applies to the withdrawal of declarations of consent received before GDPR came into effect, i.e. before 25 May 2018. Please note that this withdrawal will apply going forward. It will not apply to any data processed before the withdrawal.

You have the right, at any time, to opt out of any processing of your personal data taking for reasons relating to your own particular situation.



8. Accuracy of Data and Keeping Data up to Date


The Business shall ensure that all personal data collected, processed and held by it is kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Clause 15 (Rectification Of Personal Data), below.


The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out of date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.



9. Am I obligated to provide data?


As part of our business relationship, you must provide the personal data required in order to enter into a business relationship and perform its associated contractual obligations, or the personal data that we are required to collect by law. Without this information, we will generally not be able to conclude or execute the contract with you.
In particular, according to the money laundering regulations, we are obligated to identify you prior to entering into a business relationship with you on the basis of your identification document and to record and save your name, place of birth, date of birth, nationality, address and identification data. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Money Laundering Act and immediately notify us of any changes during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue your desired business relationship.



10. To what extent is there an automated decision-making process?


In principle, we do not use any fully automated decision-making processes pursuant to Art. 22 GDPR in order to justify or maintain the business relationship. If we do use these procedures in individual cases, we will inform you about this separately, if this is required by law. If you disagree with a decision that we have made based on your credit score, you have the right to require the decision to be reviewed by human evaluation, taking into account your point of view.



11. Does profiling take place?


We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

  • Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism, and property-related offences. At the same time, data evaluations are also carried out (inter alia in payment transactions). These measures are also in place for your protection.
  • In order to provide you with targeted information and advice on products, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research. 
  • We use the scoring to assess your creditworthiness. This calculates the probability with which a customer will meet their payment obligations in accordance with the contract. The calculation may include, for example, income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan, and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated scores help us make decisions within the context of product sales and are part of ongoing risk management.



Information about your right of revocation according to Art. 21 GDPR


1. Case-specific right to object
You have the right at any time, for reasons arising from your particular situation, to revoke your consent for the processing of personal data relating to you, which takes place on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Art. 4 (4) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing serves the establishment, exercise or defence of legal claims.

You can revoke your consent to this by sending a correspondingly worded letter to GRENKE, Data Protection Officer, Guildford Business Park, Building 2, Guildford, Surrey GU2 8XG or [email protected].


Call us

Get in touch with us via

+44 1 483 401 755

Mo - Fr 8 am - 6 pm

We are experiencing a high volume of calls. As an alternative please email [email protected].