1. Introduction

This document sets out the obligations of GRENKE Leasing Limited (UK) No.2 London Square, Cross Lanes, Guildford, Surrey GU1 1UN (our ‘Business’) regarding data protection and your rights as our Customer (‘data subject’) in respect of your personal data under the UK General Data Protection Regulation (UK GDPR) which sits alongside the Data Protection Act 2018 (DPA 2018). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to services we offer to individuals and our wider operations in the European Economic Area (EEA). Together, the UK GDPR and EU GDPR and referred to as ‘GDPR’.

Any person who contracts with us to use or access or products and service is referred in this notice as a ‘Customer’.

We take your privacy very seriously. Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This document sets our Business’s obligations regarding the collection, processing, transfer, storage, and disposal of your personal data. Our Business has implemented procedures and policies for our employees, agents, contractors, or other parties working on behalf of our Business to follow at all times. 

Our Business is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

2. Lawful, Fair, and Transparent Data Processing

The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights as the data subject.

As you are a Customer of our Business and have contracted with us to provide you with our products and services, under the GDPR we are allowed to process your personal data as a necessity for the performance of the contract. 

We collect and use your personal data to provide our services. If you do not provide the personal data we ask for, this may delay or prevent us from providing those services.

3. The Data Protection Principles

The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

• Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

4. Keeping You Informed

Our Business shall provide the information set out below to every Customer:

Where your personal data is collected directly from you, you will be informed of its purpose at the time of collection and where your personal data is obtained from a third party, you will be informed of its purpose:

• If the personal data is used to communicate with you, when the first communication is made.
• If the personal data is to be transferred to another party, before that transfer is made. 
• As soon as reasonably possible and in any event, not more than one month after the personal data is obtained.

5. How Your Personal Data Is Collected

We collect most of this information from you directly, via someone instructed to represent you or via our secure online Customer portal. However, we may also collect information:

• From publicly accessible sources, e.g. Companies House.
• Directly from a third party, e.g.: 
  • Anti-money laundering and sanctions screening providers.
  • Credit reference agencies.
  • Customer due diligence providers.
• From a third party with your consent, e.g.: 
  • Your bank or building society, another financial institution or advisor.
  • Consultants and other professionals we may engage in relation to your matter.
  • Your employer and/or trade union, professional body or pension administrators.
  • Your doctors, medical and occupational health professionals. 
• Via our website—we use cookies on our website (for more information on cookies, please see the Cookie Policy on our website.
• Via our information technology (IT) systems.

6. How and Why We Use Personal Data

Under data protection law, we can only use your personal data if we have a proper reason, i.e.:

• Where you have given consent.
• To comply with our legal and regulatory obligations.
• For the performance of a contract with you or to take steps at your request before entering into a contract.
• For our legitimate interests or those of a third party.

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table below explains what we use your personal data for and why.

7. For the fulfilment of contractual obligations

Data is processed in order to provide financial services as part of the execution of our contracts with our customers or to carry out pre-contractual actions, which are carried out upon request. The purposes of data processing are primarily geared towards the specific product (e.g. leasing, factoring) and may include, but are not limited to, needs analysis, consulting and to perform transactions. Further details on the purposes of data processing can be found in the relevant contract documents and terms and conditions.

8. For the purposes of legitimate interests

As far as necessary, we process your data beyond the actual fulfilment of the contract for the protection of our legitimate interests or those of third parties, in particular:

• Consultation and exchange of data with credit agencies (e.g. Experian) to identify credit risk or default risk
• For the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide data to credit reference agencies data concerning the request and the applicant. The agencies will make the data saved about you available to us through direct electronic mail provided that we have given convincing evidence that our interest in this is legitimate.

The credit agencies will process the data received and use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.

For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agencies, please refer to the information provided about the respective agencies using the following links:

• For DUN & BRADSTREET LIMITED, go to www.dnb.com
• For Equifax, go to https://www.equifax.co.uk/credit_score

9. Prevention and clarification of criminal acts, assertion of legal claims and defence during legal disputes

We will send personal data collected for the request for, execution and ending of this business relationship to an asset management company, collection agents or bailiffs. For behaviour not in compliance with the contract or for fraudulent behaviour to our solicitors.

If we are required to meet various legal requirements (i.e. the provisions of the Banking Act 2009, Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the European Central Bank, the European Banking Authority, the Bank of England and Financial Supervisory Authority). The purposes of the processing include, but are not limited to, the creditworthiness check, identity and age checks, prevention of fraud and money laundering, the fulfilment of tax auditing and reporting obligations, and the assessment and management of risks.

10. How and Why We Use Your Personal Data—Special

Certain personal data we collect is treated as a special category to which additional protections apply under data protection law:

• Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership.
• Genetic data.
• Biometric data (when used to uniquely identify an individual).
• Data concerning health, sex life or sexual orientation.

Where we process special category personal data, we will also ensure we are permitted to do so under data protection laws, e.g.:

• We have your explicit consent.
• The processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent.
• The processing is necessary to establish, exercise or defend legal claims.

11. Sharing of Personal Data

During our retainer with you we may share your information with the following entities:

• Group Companies
• Accountants.
• Our professional advisors.
• Our regulator(s) – The Financial Conduct Authrotiy (FCA)
• The Financial Ombudsman Service
• Banks and lenders.
• Mediation and arbitration service providers.
• Government bodies including HMRC.
• Regulation and Compliance Advisors
• Auditors.
• IT support, infrastructure and system providers.
• Employees of the Business.
• Contractors to the Business working on your matter.
• Postal service providers, including couriers.
• Insurers and brokers.
• Other third parties we use to help us run our Business, e.g. marketing agencies or website hosts.
• Third parties approved by you, e.g. social media sites you choose to link your account to or third- party payment providers.
• Credit reference agencies.
• Payment providers. 
• External auditors, e.g. in relation to the audit of our accounts or files, or systems and processes.
• Other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency, usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

Where we oursource to third-party providers, we only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

12. Automated Decision-Making Process?

In principle, we do not use any fully automated decision-making processes pursuant to Art. 22 GDPR in order to justify or maintain the business relationship. If we do use these procedures in individual cases, we will inform you about this separately, if this is required by law. If you disagree with a decision that we have made based on your credit score, you have the right to require the decision to be reviewed by human evaluation, taking into account your point of view.

13. Profiling

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

• Due to legal and regulatory requirements, we are committed to combating money laundering, the financing of terrorism, and property-related offences. At the same time, data evaluations are also carried out (inter alia in payment transactions). These measures are also in place for your protection.
• In order to provide you with targeted information and advice on products, we use evaluation tools. These enable needs-based communication and advertising, including market and opinion research.
• We use the scoring to assess your creditworthiness. This calculates the probability with which a customer will meet their payment obligations in accordance with the contract. The calculation may include, for example, income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan, and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognised and proven procedure. The calculated scores help us make decisions within the context of product sales and are part of ongoing risk management.

14. Marketing

We will use your personal data to send you updates (by email, text message, telephone or post) about our services, including promotions or new services.

We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

If we seek to market services or products to you that are new to you or you have not engaged with before we will ensure we obtain your consent before marketing to you.

You have the right to opt out of receiving marketing communications at any time by using the unsubscribe link in the footer of every email issued by Marketing. You can also opt-out by emailing [email protected] with a request to remove your data from our marketing databases.

We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

15. Personal Data Collected, Held, and Processed

The following personal data is collected, held, and processed by our Business:

16. Personal Data Collected for Compliance with the Business’s Regulatory Responsibilities

Pursuant to Regulation 41 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and The Money Laundering and Terrorist Financing (Amendment) Regulations 2019, the Business will not use any personal data provided for the purpose of complying with the regulation for any purpose other than for the prevention of money laundering or terrorist financing.

17. Where your personal Data is held

Personal data may be held at our offices and those of our third-party agencies, service providers, representatives and agents as described above (see ‘Sharing of Personal Data’).

Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the UK and EEA’.

18. How long your personal data will be kept for

We will not keep your personal data for longer than we need it for the purpose for which it is used or as agreed with you.

As a general rule, if we are no longer providing services to you, we will delete or anonymise your account data after 10 years after the cease of Agreement by both parties.

Following the end of the relevant retention period, we will delete or anonymise your personal data.

19. Transferring Your personal data out of the UK and EEA

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

As we are based in the UK we may also transfer your personal data from the EEA to the UK.

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

• In the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here.
• In the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.
• There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you.
• A specific exception applies under relevant data protection law.

Where we transfer your personal data outside the UK, we do so on the basis of an adequacy decision. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this notice.

Where we transfer your personal data outside the EEA we do so on the basis of an adequacy decision. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this notice.

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this Notice’ below.

20. Transferring Your Personal Data Out of the UK and EEA – Further Information

If you would like further information about data transferred outside the UK/EEA, please contact us via email at [email protected].

21. Your rights (As a Data Subject)

The GDPR sets out the following rights applicable to data subjects:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure (also known as the ‘right to be forgotten’).
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Not to be subject to automated individual decision making.
• The right to withdraw consent.

22. Data Subject Access Requests

You may make Subject Access Requests (‘SARs’) at any time to find out more about the personal data that our Business holds about you, what it is doing with that personal data, and why.

If you wish to make a SAR you may do so in writing.  SARs should be addressed to the Business's Data Protection Officer, who is Robin Spurr. You should send your request by: email to [email protected].

Responses to SARs shall normally be made within one month of receipt. However, we may extend by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, you shall be informed.

All SARs received shall be handled by the Business’s Data Protection Officer.

Our Business does not charge a fee for the handling of normal SARs. However, we reserve the right to charge reasonable fees for additional copies of information that has already been supplied to you, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

23. Rectification of Personal Data

You have the right to require us to rectify any of your personal data that is inaccurate or incomplete.

Our Business shall rectify the personal data in question, and inform you of that rectification, within one month of you informing our Business of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

24. Erasure of Personal Data

You have the right to request that our Business erases the personal data it holds about you in the following circumstances:

• It is no longer necessary for our Business to hold your personal data with respect to the purpose(s) for which it was originally collected or processed.
• You wish to withdraw your consent to our Business holding and processing your personal data.
• You object to our Business holding and processing your personal data (and there is no overriding legitimate interest to allow our Business to continue doing so).
• The personal data has been processed unlawfully.
• The personal data needs to be erased in order for our Business to comply with a particular legal obligation.

Unless our Business has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and you will be informed of the erasure within one month of receipt of your request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.

In the event that any personal data that is to be erased in response to your request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

25. Restriction of Personal Data Processing

You may request that our Business ceases processing the personal data it holds about you. If you make such a request, our Business shall retain only the amount of personal data concerning you (if any) that is necessary to ensure that the personal data in question is not processed further.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

26. Restriction of Personal Data Processing

You have the right to object to our Business processing your personal data based on legitimate interests and direct marketing (including profiling). 

Where you object to our Business processing your personal data based on its legitimate interests, our Business shall cease such processing immediately, unless it can be demonstrated that the Business’s legitimate grounds for such processing overrides your interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where you object to our Business processing your personal data for direct marketing purposes, our Business shall cease such processing immediately.

27. Withdrawing consent

If you have provided us with consent to use your personal data you have a right to withdraw that consent easily at any time.

You may withdraw consent by contacting our Data Protection Officer via email to [email protected].

Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

28. More Information on How to Exercise Your Rights

To find more information on how you may exercise your rights as a data subject, please see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

29. Keeping Your Personal Data Secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

30. How to Complain

Please contact us if you have any queries or concerns about our use of your personal data (see below ‘How to Contact Us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with:

• The Information Commissioner in the UK.
• A relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA.

The [UK’s] Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

For a list of EEA data protection supervisory authorities and their contact details see here

31. Changes to this notice

We may change this notice from time to time. If we do, an updated version will be available to you.

32. How to Contact Us

You can contact us and/or our Data Protection Officer by post, email or telephone if you have any questions about this privacy notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Full details of how to reach us:

GRENKE

Data Protection Officer

2 London Square

Cross Lanes

Guildford

GU1 1UN

Email: [email protected]

Website: www.grenke.co.uk