FAIR PROCESSING NOTICE
Use of personal information
Please read this notice carefully and in full as it contains important information regarding how we will use your personal data when you enter into a finance agreement with us.
1 Who we are :
We C F Capital plc (“CF”, “we”, “us”, “our”) are committed to processing your personal data in accordance with UK data protection laws. This notice aims to give you information on how your personal data (i.e. information which directly or indirectly identifies you) are processed.
For the purposes of the data protection laws we are the data controller and are registered with the Information Commissioners Office (ICO) with Registration Number Z4873229.
This notice will apply to you where we process your data, including where yourself, a director of a business with whom you are associated has submitted an application for finance or where a supplier has approached us on your behalf.
2 Data That May Be Collected :
We may collect certain personal data with respect to you as a customer, including without limitation your name, address, date of birth, contact details, credit reference data, financial and employment details, banking and credit card details, and details of your business. We collect some of this data from third parties, for example credit reference agencies (“CRAs”) or your chosen supplier.
Where a corporate entity is entering into this agreement we will collect personal data about the individuals who are directors and shareholders of the business from CRAs where this data is held publicly, such as at companies house. This notice also applies to the processing of such personal data and use of the word ‘you’ in this notice will encompass such individuals.
Where we are made aware of such information, CF may process sensitive personal data (including, for example, information revealing an individual’s physical or mental health). Where sensitive personal data are processed we will obtain your explicit consent for the processing and recording this information in line with Data Protection best practice and requirements.
3 How we use your Personal Data :
We will use your personal data for: provision of products and services, credit and AML risk assessment, assessing ongoing credit performance, recoveries, collections, insurance administration, profiling for marketing purposes, market research and product development, statistical analysis, marketing, fraud prevention and detection and otherwise as necessary to comply with applicable laws, regulations and/or codes of practice.
4 Our Legal Basis for using your Personal Data :
We only use your personal data where that is permitted by laws that protect your privacy rights. When we enter into a finance agreement with you, we will use your personal data where :
(i) We have your consent (if consent is needed)
(ii) We need to use the data to comply with our legal obligations
(iii) We have legitimate interests in considering finance proposal applications
In line with ICO best practice and legislative requirements we have undertaken a legitimate interest assessment.
Where we are provided with special category (sensitive) data we will only process this with the explicit consent of the data subject. Company registration no. 2305279 C F Capital plc is authorised and regulated by the Financial Conduct Authority
5 Disclosure to Certain Third Parties
We may disclose certain personal data:
(i) to one or more finance companies for the purposes of arranging finance on your behalf
(ii) professional advisors
(iii) recovery agents
(iv) to courts, governmental and non-governmental regulators and ombudsman
(v) fraud prevention agencies and law enforcement agencies
(vi) to any third party that acquires or is interested in acquiring, all or part of CF’s assets or shares, or that succeeds CF in carrying on all or a part of its business, whether by merger, acquisition, reorganisation or otherwise and
(vii) as otherwise required or permitted by law.
We may also pass your personal data on to other CF Group Companies and/or any relevant third party and
both we and/or they may use it for any purpose linked to any sale of and/or granting of security over the agreement we have with you. In such circumstances, such third parties may also use and/or disclose your personal data to any third party that they ask to assist them with the preparation for and/or completion of any such sale and/or granting of security; they may also, once such sale and/or granting of security is completed, use and/or disclose your personal data to third parties for any of the other purposes which we have outlined in this notice in the same way as if they had entered into the agreement with you instead of us.
The personal information we have collected may be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected you could be refused certain services, finance or employment.
In order to process your application, we will perform credit and identity checks on you with one or more CRAs. To do this, we will supply your personal information to CRAs and they will give us information about you, even if your application does not proceed or is unsuccessful. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
• Assess your creditworthiness and affordability;
• Verify the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering;
• Manage your account (s);
• Comply with applicable legislation
• Trace and recover debts, and
• Ensure any offers provided to you are appropriate to your circumstances.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at any of these three links: www.creditsafe.com www.equifax.co.uk/crain; www.experian.co.uk/crain Company registration no. 2305279 C F Capital plc is authorised and regulated by the Financial Conduct Authority
6 Transfer of Personal Data
Sometimes we transfer personal data to other countries outside the UK where we shall ensure sufficient protections are in place to safeguard your data.
7 Automated decision making
Sometimes we use your personal data in automated processes to make decisions about you, such as credit scoring. We might also use automated processes to create a profile of you. We do this to help ensure decisions are made accurately, fairly and efficiently.
8 Your right to object
You have a right to object to our processing your personal data on grounds relating to your particular situation.
You also have the right, at any time, to stop us from contacting you or processing your personal data for marketing purposes.
9 Your other rights
Under applicable data privacy laws, you have a right to: (i) request access to and rectification or erasure of your personal data; and (ii) obtain restriction of processing. If you wish to exercise any of these rights you should contact the Data Privacy Officer as described below.
We rely on automated credit assessment based on the personal data you provide to us and data which we obtain from our credit reference agency or similar sources about your credit profile or history. The outcome of this process can result in an automated decline of your application where it does not meet our acceptance criteria. We review this acceptance criteria regularly to ensure fairness in the decisions made. You have a right to ask us to manually review any decision taken in this manner.
In addition we may use automated profiling to identify whether other products or services may be of use to you when we consider marketing campaigns. You have a right
to object to this automated profiling. This is separate to the right you have to object to receive marketing.
10 Your Right of Data Access
Where you chose to exercise your right of Data Access this will be escalated to the Data Protection Officer and will be responded to within 30 days as required by legislation and ICO guidance. The contact information for our DPO can be found at the end of this document.
We will take steps to protect your personal data against loss or theft, as well as from unauthorised access, disclosure, copying, use or modification, regardless of the format in which it is held.
We will normally retain your personal data for a period of 7 years from the latest date on which we have a financial arrangement in place with you. Under certain circumstances this period may vary if we consider it necessary for good operation or commercial reasons, or in order to meet other legal obligations. Please be aware that telephone conversations may be recorded and this data retained for the same length of time.
More information on data retention and disposal can be obtained on request from our DPO We normally retain personal data for a period of 12 months from receipt for an enquiry which does not result in an agreement.
13 Enquiries, Requests or Concerns
All enquiries, requests or concerns regarding this Notice or relating to the processing of personal data should be sent to the Data Privacy Officer using the following contact details: firstname.lastname@example.org
14 Supervisory authority
You also have a right to complain about our use of your personal data to our supervisory authority, the Information Commissioner’s Office.