Chevington Finance & Leasing Ltd
Chevington Service Ltd
I Spy Coffee & Water Ltd
I Spy Coffee & Water (Europe) Ltd
About this Policy:-
This policy explains when and why we collect personal information, how we use it and how we keep it secure, and your rights in relation to it.
We may collect, use and store your personal data, as described in this Data Processing Policy and as described when we collect data from you.
We reserve the right to amend this Data Processing Policy from time to time without prior notice.
We will always comply with the General Data Protection Regulations (GDPR) when dealing with your personal data. Further details on the GDPR can be found at the website for the Information Commissioner (www.ico.gov.uk ). For the purposes of the GDPR, we will be the “controller” of all personal data we hold about you.
Our Data Protection Officer is Deborah Morris. She can be contacted on 0844 800 7371 or at Cocoanut House, Hall Street, Long Melford, Suffolk, CO10 9JQ.
What information we collect and why:-
Your personal information will be collected or obtained by us whether we deal with you as an individual or on behalf of an individual, business, charity, trust or other organisation that you represent. We process many different types of personal information (for example your name, address and date of birth). We may process personal data relating to criminal convictions and offences if we have your consent to do so for fraud prevention purposes.
Why we process your personal information
We process your personal information for a variety of reasons, upon different legal bases, depending on the reason for which we have collected or obtained your personal information. The main types of processing that we carry out and the legal basis for doing so are as follows:
We process your personal information in order to consider and process your application. This is necessary in order to take steps at your request before we enter into an agreement with you and is also necessary for our legitimate interests (i.e. in deciding whether or not we can offer you the product you have applied for). This type of processing is required in order for you to enter into an agreement with us. If you do not provide it then we cannot proceed with your application. In respect of fraud searches and identity verification, this processing is necessary for our legitimate interests (i.e. fraud prevention) and compliance with our legal obligations.
If your application is accepted we will process your personal information in order to administer your account in a number of ways. This will include, for example, collecting loan repayments; providing you with account statements, notices, and other information; managing any arrears on your account; enforcing any security that we have in place; and dealing with any queries or complaints that you may have. This type of processing is necessary for the performance of our contract with you and in order to fulfil our legal obligations.
We will also process your personal information to manage our business operations, for example, our internal governance functions, which will include monitoring communications and activities in relation to your account (see further detail in relation to monitoring communications below), and for accounting and audit purposes. We have legitimate interests in doing so (i.e. it is necessary for our business and compliance purposes) and we may also have legal obligations to fulfil.
If your application is declined we will store your personal information in accordance with our record retention procedures and to comply with our legal obligations.
If we are dealing with a request you have made in order to exercise your legal and regulatory rights (including those referred to in the ‘Your rights under applicable data protection law’) below, this will be done in order to fulfil our legal obligation to respond to you.
We process your personal information for marketing purposes. This is necessary in order to fulfil our legitimate interests of providing you with information about products and services that you may be interested in.
The personal information that we process when you are browsing our website (such as your IP address) is done so on the basis that we have legitimate interests in doing so or that you have given your consent to this by accessing and browsing the website.
Any consent that you give us will be as easy to withdraw as it was to give. Withdrawing your consent does not affect the lawfulness of any processing which occurred prior to the withdrawal of consent. If you do this, and if there is no alternative legal basis upon which we may process your personal information for a particular purpose, then this may affect what we can do for you.
Who your personal information may be shared with
We may share your personal information with the following third parties:
Anyone acting on your behalf with authority to do so, such as a debt charity, power of attorney or your professional advisors.
Credit reference agencies (CRAs) and fraud prevention agencies in order to perform credit and fraud searches and to verify your identity. This type of processing is necessary for our legitimate interests (i.e. fraud prevention) and compliance with our legal obligations.
Legal and regulatory bodies, such as the Financial Conduct Authority, the Prudential Regulation Authority, HMRC, the Information Commissioner’s Office (ICO), the Financial Ombudsman Service (FOS), fraud prevention agencies, our professional advisors and/or the courts when it is necessary for our legitimate interests (e.g. to obtain legal advice or for fraud prevention purposes) and/or when we have a legal obligation to do so.
Organisations that provide us with business support services. For example, account service and administration companies, back-up and server hosting, IT software and maintenance and platforms, document storage and management services, receivers, repossession agents, recoveries agents and property valuers. This processing is undertaken as it is necessary for the performance of our agreement with you and is necessary for our legitimate interests (i.e. for our commercial operations).
Other companies within Chevington Group Ltd for the purposes of enabling our parent entities to exercise oversight of our business. This processing is necessary for our legitimate interests (e.g. to enable our parent entities to manage us effectively) and may also be necessary to enable us to fulfil our legal obligations (e.g. to enable us to comply with our corporate governance requirements). We may also share your personal information with Chevington Group companies so that they can provide you with relevant products and services. This type of processing is necessary to enable us to take steps at your request prior to you entering into a contract with a company within Chevington Group.
Third parties who have introduced you to us (e.g. an intermediary or broker) in order for them to manage their records about you, to ensure that the type of business that they refer to us is appropriate and to help us to resolve any complaint made by you and/or any dispute between you and us. This type of processing is necessary for our legitimate business interests (e.g. to help us to ensure that the intermediary or broker is fulfilling the terms of their contract with us) and in order for us to fulfil our legal obligations (e.g. our complaint-handling obligations).
Market research organisations who we engage to assist us in developing and improving our products and services. This type of processing is necessary for our legitimate interests (e.g. for our commercial operations).
Any person or entity that is to provide, or has provided, any security of guarantee (and their professional advisors) in respect of your agreement with us and their professional advisors. This type of processing is necessary for the fulfilment of our contract with you (e.g. to enable us to recover any sums we have advanced under our agreement with you).
Any entity (and their professional advisors) that provides funding to us or members of Chevington Group Ltd (for example, the Bank of England), any entity that provides us with debt or equity finance and any potential purchasers of any part of our business. This type of processing is necessary for our legitimate interests (e.g. to enable us to fund our business).
As mentioned above, if you voluntarily provide us with special categories of your personal information, this will be regarded as constituting your explicit consent to us processing such information. This includes us sharing that information with third parties as necessary. For example, if you provide information relating to a complaint you have made or any financial difficulties you may be experiencing, then you will be consenting to us sharing that information with our professional advisors, any third party who introduced you to us (e.g. an intermediary or broker), administration companies or the FOS (as is relevant).
How we collect and obtain your personal information
We may collect your personal information directly from you a number of ways, including:
when you apply for a credit product through a postal application or direct with one of our employees;
when you provide it on-line or by any other method of communication, for example, on “contact us” forms, or when you provide it through the course of our relationship, for example, if you inform us of a change in your circumstances; and
technical information, including the Internet Protocol (IP) address used to connect to the internet, may be collected from you when you visit our website.
We may obtain your personal information indirectly from third parties in the following ways:
following an introduction to us by another third party, such as an accountancy firm, law firm or management consultancy;
if another person provides your information to us when they apply to obtain a product from us:
on your behalf; or
that is to be held jointly with you; or
on behalf of a business, charity, trust or other organisation of which you are a director, shareholder, owner, trustee or beneficiary (as applicable);
from fraud prevention agencies, credit reference agencies or Companies House when we carry out searches for the purposes of processing your application and/or during the course of your relationship with us.
If you are applying to us through a third party then they should have provided you with their own privacy notice in order to tell you (whether online or in person) how they may process your personal information. They should have also told you that credit reference and fraud prevention agency checks will be performed before we consider your application more fully and that your personal information is being shared with us for the purposes and uses set out in this privacy notice. If the third party did not tell you this, then you should let us know immediately by contacting our Data Protection Officer using the contact information set-out in the ‘Introduction’ section of this privacy notice.
Credit reference checks
In order to process your application, we will perform credit and identity checks on you with one or more CRAs.
To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
Assess your creditworthiness and whether you can afford to take the product;
Verify the accuracy of the data you have provided to us;
Prevent criminal activity, fraud and money laundering;
Manage your account(s);
Trace and recover debts; and
Ensure any offers provided to you are appropriate to your circumstances.
International transfers of your personal information
Should we transfer your personal information to any other territories or countries outside the EEA we will take such steps as are necessary to ensure appropriate safeguards apply to maintain the same levels of protection as are needed under data protection laws in the UK. If we do so you may contact us to obtain a copy of the applicable safeguards.
Your rights under applicable data protection law
Your personal information is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact our Data Protection Officer using the contact information set-out in the ‘About This Policy’ section of this privacy notice if you wish to do so, or if you have any queries in relation to your rights.
If you seek to exercise your rights we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances. Please be aware that if your request is manifestly unfounded or excessive we may refuse to deal with your request or may charge a reasonable fee for dealing with it.
Right to access
You have the right to access the personal information held about you and to obtain certain prescribed information about how we process it. This is more commonly known as submitting a ‘data subject access request’. We may request proof of your identity before sharing such information.
Right to rectify your personal information
If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e. corrected).
Right to be forgotten
You may ask us to delete information we hold about you in certain circumstances, this is often referred to as the ‘right to be forgotten’. This right is not absolute and only applies in particular circumstances. It may not therefore be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship or are required to retain information to comply with our legal obligations or to exercise or defend legal claims.
Right to restriction of processing
In some cases you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.
Right to object to processing
You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing (including profiling to the extent it relates to direct marketing) and for the purposes of statistical analysis.
Right to data portability
You have the right to receive, move, copy or transfer your personal information to a controller which is also known as ‘data portability’. You have the right to this when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means. You should note that this right is different from the right of access (see above) and the types of information you can obtain under the two separate rights may be different.
How long your personal information will be stored for
We only keep your personal information for as long as it is necessary to fulfil the purposes for which it is processed (as described above).
In accordance with our retention policy, we will retain your personal information for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account) or when your application has been declined.
Please note that if your personal information is shared with third parties (as detailed above) they may have different retention policies. Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years..
Keeping your information accurate
We strive to ensure that your personal information is kept up to date and accurate. If any of the personal information you have given to us or third parties changes, such as your contact details, home ownership status, employment status or marital status, please promptly inform us in accordance with the terms and conditions of your agreement with us.
You will be required to provide us with any changes to your personal information under the agreement you enter into with us if your application for a credit or savings product is accepted. If you fail to do so this will put you in breach of your agreement.
How we monitor your communications
Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.
What to do if you have concerns or want to make a complaint
If you have any concerns regarding our use of your information please notify our Data Protection Officer as soon as possible using the contact information set-out in the ‘About This Policy’ section of this privacy notice. If we cannot resolve a complaint to your satisfaction you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 113 if the complaint relates to the way your personal information has been handled.