Your personal data and the protection of your privacy are a priority for Leasys Luxembourg. This consideration is embedded in corporate governance, the management of associated risks, and in the provision of services delivered to our clients.

This policy sets out how we handle your personal information, including when and why it is collected, used, processed, and disclosed and how it is secured.

This policy may change, so please check this page from time to time to ensure that you’re happy with any changes.

This policy was last updated on 30 November 2023.



Where this policy refers to “we”, “our” or “us” below, unless it mentions otherwise, it’s referring to Leasys Luxembourg S.A.

We are usually the controller of your personal information. A ‘controller’ is a company that decides why and how your personal information is processed.

For certain activities, we are joint data controllers, which means that we share control of your personal information with other suppliers or other companies with whom we collaborate for the proper performance of the service.

For example, when you provide your personal information to your bank (Lease Plus product), your bank is the data controller. They may also process your data on their own IT / paper systems. In this case, we will not be responsible for the information you provide, but we will be jointly responsible for processing the personal information we subsequently receive for the purposes of activating and setting up the leasing contract.



We may collect and process the following personal information about you:

  • Personal information you give to us:

    This is information about you that you give to us by entering information on our websites, social media pages, corresponding with us by phone, email or otherwise and is provided entirely voluntarily.

    It also includes information provided to your bank as part of signing a Lease Plus contract.

    We record all our telephone calls for the purpose of fulfilling your contract.
    The information you give to us includes your name, first names, contact details (such as phone number, email address and address), baking details (e.g., in the event of a change of direct debit) and, more generally, the details of your request.

  • Personal information we collect about you:

    we may automatically collect the following personal information: our web servers store as standard details of your browser and operating system, the website from which you visit our website, the pages that you visit on our website, the date of your visit, and, for security reasons, e.g. to identify attacks on our website, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies – please see Cookies in Section 9 for further information. We may also collect any personal information which you allow to be shared that is part of your public profile on a third-party social network.

  • Personal information we may receive from other sources:

    we obtain certain personal information about you from sources outside our business, which may include our suppliers or third-party companies for the purposes of creating, fulfilling, and servicing the contract. The data collected is the same as that mentioned above, in addition to data relating to the identity of beneficial owners for legal entities as part of “Customer due diligence” procedures.



4.1. Where required to perform a CONTRACT with you?

We may use and process your personal information where it is necessary for the performance of a contract with you or in order to take steps, at your request, before entering into a contract with you, including for the following purposes:

  • When you enquire about our services
  • When you are a customer of one of our services
  • When we make reasonable enquiries to assess your credit application and to confirm your identity

We may from time to time share your personal data with certain of our suppliers for the proper performance of the services (see Section 5.2 on Our Suppliers and Service Providers).

4.2. Where there is a LEGITIMATE INTEREST

We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business for the following purposes:

  • For analysis, and profiling to inform our marketing strategy, and to enhance and personalise your customer experience
  • For market research in order to continually improve the products and services that we and our authorised retailers and brokers deliver to you
  • To administer our websites and for internal operations, testing, statistical purposes and pricing
  • For marketing activities (other than where we rely on your consent) e.g. to tailor marketing communications or send targeted marketing messages via social Media and other third party platforms
  • For the prevention of fraud, crime and money laundering
  • To undertake credit checks for finance
  • To correspond and communicate with you
  • To create a better understanding of you as a customer or visitor
  • For network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access
  • To comply with a request from you in connection with the exercise of your rights, for example, where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request
  • For the purposes of a corporate restructure or reorganisation or sale of our business or assets
  • For efficiency, accuracy or other improvements of our databases and systems e.g. by combining systems or consolidating records we or our group companies hold about you
  • To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings
  • For general administration including managing your queries, complaints, or claims.

It may be necessary, from time to time, to share your personal data with our regulators, including the CNPD (National Commission for Data Protection) in Luxembourg or any other authority if required by applicable laws and regulations.

4.3. Where you have provided CONSENT

We may use and process your personal information where you have consented for us to do so for the following purposes:

  • To enable us to carry out a credit reference search (see section 5.6)
  • For direct marketing purposes where you have chosen not to opt-out of receiving marketing communications (see section 10)

4.4. Where required to comply with our LEGAL OBLIGATIONS

We will use your personal information to comply with our legal obligations including:

  1. to assist the SNCA, the police or any other public authority or criminal investigation body
  2. to identify you when you contact us, and
  3. to verify the accuracy of data that we hold about you.

4.5. Where it is in your VITAL INTEREST

We may use your personal information to contact you if there are any urgent safety or product recall notices to communicate to you or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you. It is in your vital interests for us to use your personal information in this way.



5.1. Leasys Group

We may share your information with other companies within the Leasys Group. This rarely happens and would usually be for reporting or statistical purposes or as part of our investigation of a complaint.

5.2. Our suppliers and service providers

We may disclose your information to our third-party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include IT services providers, Credit Reference Agencies (see section 5.6) and administrative services or other third parties who provide services to us.

When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their services and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.

5.3. Third parties who provide products and services.

We work closely with various third parties to bring you a range of products and services which are complimentary to ours. These include, for example, our insurance provider, breakdown assistance and the supply of charging facilities for electric vehicles.

When you enquire about or purchase one or more of these products or services through us or our retailers or brokers or directly with us, the relevant third party may use your details to provide you with information and carry out their obligations arising from any contracts you have entered into with them.

These third-party product providers may share your information with us which we will use in accordance with this policy. In some cases, they will be acting as a controller of your information and therefore we advise you to read their privacy policy.

5.4. Other ways we may share your personal information

We may transfer your personal information to a third party as part of a sale (or a preparation for sale) of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
We may also transfer your personal information if we’re under a duty to disclose or share it in order to comply with any legal obligation (e.g. by sharing your personal information with the SNCA or any other Luxembourg regulatory authority), to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers.

However, we will always take steps with the aim of ensuring that your privacy rights continue to be protected.

5.5. Fraud Prevention Agencies

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed, for example: name, address, date of birth, address, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

  • Automated Decisions


As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more, please contact us using the details above. Further information regarding automated decisions is provided under section 8.6 of this policy.

  • Consequences of Processing


If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.

  • Your rights related to your personal data:


Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; to request that your personal data be erased or corrected; to request access to your personal data.

You also have the right to lodge a complaint with the CNDP (National Commission for Data Protection), which regulates the processing of personal data in Luxembourg.



All information you provide to us may be transferred to countries outside the Luxembourg and the European Economic Area (EEA). We work with third party service providers located in countries other than the UK and the EEA (for example, some of our IT service providers may be located outside Europe).

In such cases, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on these providers, including the appropriate model contractual clauses that aim to ensure adequate protection.

If you use our services whilst you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.



If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws.

We do not retain personal information in an identifiable format for longer than is necessary.

We may need your personal information to establish, bring or defend legal claims, in which case we will usually retain your personal information for 6 years after the last occasion on which we have used your personal information in one of the ways specified in How we use your personal information Section 4.

The only exceptions to this are where:

  • The law requires us to hold your personal information for a longer period, or to delete it sooner.
  • You exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this policy, or because we are required under the law (see further, Erasing your personal information or restricting its processing in Section 8.7); and in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.


8.1. Your ‘data subject’ rights

Data protection laws give you a number of rights in relation to your personal information. In relation to certain rights, we may ask you for information to confirm your identity and, where appropriate, to assist us in retrieving your personal information. Except in rare circumstances, we will respond to you within 30 days of receiving this information or, if no information is required, of receiving your request.

We will endeavour to provide you with the data requested, but this may not always be possible. If your request is excessive or unfounded, or requires a disproportionate effort to comply with, we may charge a reasonable fee. Unfortunately, in some cases we may not be able to provide all the data you request. In this case, you will receive a detailed explanation.

8.2. Accessing your personal information

You have the right to request a copy of the information we hold about you by emailing us or writing to us here. We may not provide you with a copy of your personal information if it relates to other people or if we have another legal reason not to disclose the information.

8.3. Correcting and updating your personal information

The accuracy of your information is important to us. If you change any of your personal details or if you want to correct any inaccuracy in your personal data, please contact us and we will be happy to assist.

8.4. Withdrawing your consent

Where we rely on your consent as the legal basis for processing your personal information, as set out under section 4, How we use your personal information, you may withdraw your consent at any time by contacting us using the contact details provided here.

If you would like to withdraw your consent to receiving any direct marketing, please refer to Marketing in Section 10.

8.5. Objecting to our use of your personal information

Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), as out under, how we use your personal information in Section 4, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy.

Except for the purposes for which we are sure we can continue to process your personal information; we will usually temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data.

8.6. Automated decisions made about you

When we assess our customers, as part of our surveys and evaluations to determine whether our financial products are suitable for them, we may automatically accept or refuse your application on the basis of a set of predefined criteria.

In this case, you may contest such a decision taken about you on the basis of automated processing and request that a natural person take this decision, which is currently the case at Leasys Luxembourg. If your request for financing is automatically refused, you will receive information on how to object.

We also use automated data processing to assist in compliance with our legal obligations in connection with prevention of money laundering, fraud and terrorist financing, for example, to screen for suspicious transactions.

8.7. Erasing your personal information or restricting its processing

In certain circumstances, you may ask for your personal information to be removed from our systems by contacting us through the contact request form. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

You may also ask us to restrict processing your personal information in the following situations:

  • Where you believe it is unlawful for us to do so
  • When you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.

In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so; for example, for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

8.8. Transferring your personal information in a structured data file (data portability)

Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under Section 4 How we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used, and machine-readable form, such as a CSV file.

You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information...

8.9. Complaint to the Luxembourg data protection regulatory authority

You have the right to lodge a complaint with the National Commission for Data Protection (CNPD) if you are concerned about the way in which we have handled your personal information. For further information, please consult the CNPD website.



9.1. Security measures we put in place to protect your personal information

We use technical and organisational security measures to protect the personal information supplied by you and managed by us against manipulation, loss, destruction, and access by third parties. Our security measures are continually improved in line with technological developments.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information whilst in transit to our website and any transmission is at your own risk.

Where we have given (or where you have chosen) a password which enables you to access an account, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

9.2. Use of 'cookies'

Cookies" are small pieces of information sent to your device and stored on its hard drive to enable our websites to recognise you when you visit.

Here you will find information about the cookies we use and their characteristics.

9.3. Links to other websites

Our website may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites and application‚ so we encourage you to read their privacy notices. We are not responsible for the privacy policies and practices of other websites and applications (even if you access them using links that we provide) and we provide links to those websites solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content, or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

In addition, if you are linked to our website from a third-party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.

9.4. Social plugins

From time-to-time, we or our marketing agents such as retailers, may use social plugins (buttons) of social networks such as Facebook, LinkedIn, Google and Twitter. Please see Cookies in Section 9.2 for further details regarding our use of cookies.

If you are a member of a social network and do not wish it to combine data retrieved from your visit to our websites with your membership data, you must log out from the social network concerned before activating the buttons.

We have no influence on the scope of data that is collected by the social networks through their buttons. The data use policies of the social networks provide information on the purpose and extent of the data that they collect, how this data is processed and used, the rights available to you and the settings that you can use to protect your privacy.

We or our marketing agents may contact you with targeted advertising delivered online through social media and platforms (operated by other companies) by using your personal information or use your personal information to tailor marketing to improve its relevance to you unless you object.


10. Marketing

For marketing purposes, Leasys Luxembourg S.A. is the data controller and we rely on our legitimate interests to market similar products and services to you.

When you sign your leasing agreement, you are giving us your permission for the duration of your Agreement to communicate with you about products and services we each may think are of interest to you. You may opt out of receiving marketing communications before you sign the agreement or at any time afterwards.

We may contact you by telephone, email, SMS and post. We may also analyse our customer databases to enable us to do targeted marketing (known as ‘profiling’).

SMS, telephone and email are known as ‘electronic marketing’ and we are required to ask your permission to communicate with you in these ways. Before you sign your agreement, you will be given an opportunity to opt-out. If you did not opt-out at the time you signed your agreement with us, we regard your permission to electronic marketing to be valid for the entire duration of the agreement. Of course, you may opt-out at any time.

10.1. Channels

When you signed your agreement with us (unless you opted-out), you gave us permission to market to you by telephone, email, SMS and post. If you would like to change these communication preferences please let us know.

10.2. Profiling

From time to time we carry out marketing activities which are targeted towards a selected group of customers. In order to select those customers, we may use what is known as ‘profiling’, for example selecting our customers by age, gender or location.

10.3. Opt out from marketing communications

You will have the option of unsubscribing when you sign your contract, but you can also unsubscribe from marketing communications at any time.

10.4. Websites

We may collect your preferences to send you marketing information directly from us by email / post / telephone / SMS, if you request a quote for one of our products or services on our websites (Leasys Luxembourg).

10.5. Use of suppliers and agents to communicate with you for marketing purposes

We have appointed many of our retailers, brokers as our processors to carry out marketing activities on our behalf. These may include analysing marketing data on our behalf in order to determine the best offer to make to you. They may contact you on our behalf if we ask them to but only if you have not opted out of marketing communications.



We may review this policy from time to time and any changes will be published on our website. We may also contact you by email. Any changes will take effect 7 days after the date of our email or the on the date on which we post the modified terms on our website, whichever is the earlier. We recommend that you regularly check for changes and review this policy when you visit our website.

If you have any queries about any aspect of our policies, please do not hesitate to contact us.



If you want to contact us about anything in this policy or for any further query, please contact our Data Protection Officer (DPO) at:

Telephone: +352 40 44 11 1, one of our Sales Support team will answer and will redirect the call to the DPO.
Post: Leasys Luxembourg S.A., Z.A. am Bann, 7 rue Nicolas Brosius, L-3372 Leudelange, indicating “for the attention of the Data Protection Officer”