1. ABOUT THIS POLICY
Your privacy is important to us and we want you to feel comfortable with how we use, share and process your personal information.
This policy sets out how we handle your personal information, including when and why it is collected, used, processed and disclosed and how it is secured.
Our contact details are at the end of this policy which you can use if you have any questions, including how to update or access your personal information or to make a complaint.
This policy may change, so please check this page from time to time to ensure that you’re happy with any changes.
This policy was last updated on 23 May 2023.
2. WHO WE ARE
Where this policy refers to “we”, “our” or “us” below, unless it mentions otherwise, it’s referring to Leasys UK Ltd.
Leasys UK Ltd is a subsidary of Leasys S.p.A,. You can find our contact details here.
We are usually the controller of your personal information. A ‘controller’ is a company that decides why and how your personal information is processed.
For some activities, we are joint data controllers – this means we share control of your personal information with others as follows:
3. HOW AND WHAT PERSONAL INFORMATION WE COLLECT
We may collect and process the following personal information about you:
4. HOW WE USE YOUR PERSONAL INFORMATION
4.1. Where required to perform a CONTRACT with you
We may use and process your personal information where it is necessary for the performance of a contract with you or in order to take steps, at your request, before entering into a contract with you, including for the following purposes:
4.2. Where there is a LEGITIMATE INTEREST
We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business for the following purposes:
It may be necessary from time to time share your personal data with our regulators including, the Financial Conduct Authority and the Information Commissioner’s Office.
4.3. Where you have provided CONSENT
We may use and process your personal information where you have consented for us to do so for the following purposes:
4.4. Where required to comply with our LEGAL OBLIGATIONS
We will use your personal information to comply with our legal obligations including:
(i) to assist HMRC, the Police, the Driver and Vehicle Licensing Agency (DVLA), any other public authority or criminal investigation body
(ii) to identify you when you contact us, and
(iii) to verify the accuracy of data that we hold about you.
4.5. Where it is in your VITAL INTEREST
We may use your personal information to contact you if there are any urgent safety or product recall notices to communicate to you or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you. It is in your vital interests for us to use your personal information in this way.
5. OTHERS WHO MAY RECEIVE OR HAVE ACCESS TO YOUR PERSONAL INFORMATION
5.1. Leasys Group
We may share your information with other companies within the Leasys Group. This rarely happens and would usually be for reporting or statistical purposes or as part of our investigation of a complaint.
5.2. Our suppliers and service providers
We may disclose your information to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include IT services providers, Credit Reference Agencies (see section 5.6) and administrative services or other third parties who provide services to us. A list of our main suppliers is available here.
When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their services and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
5.3. Authorised retailers and brokers in our network
We work with a number of retailers and brokers around the UK. They may use your personal information in connection with the financial products and services you take out with us.
5.4. Third parties who provide products and services
We work closely with various third parties to bring you a range of products and services which are complimentary to ours. Examples of these include: our GAP insurance provider, breakdown assistance, etc.
When you enquire about or purchase one or more of these products or services through us or our retailers or brokers or directly with us, the relevant third party may use your details to provide you with information and carry out their obligations arising from any contracts you have entered into with them.
5.5. Other ways we may share your personal information
We may transfer your personal information to a third party as part of a sale (or a preparation for sale) of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
We may also transfer your personal information if we’re under a duty to disclose or share it in order to comply with any legal obligation (e.g. by sharing your personal information with the DVLA or our regulators), to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers.
However, we will always take steps with the aim of ensuring that your privacy rights continue to be protected.
5.6. Credit Reference Agencies (CRAs)
We will share your personal information with credit reference agencies in the following circumstances:
Before we submit your personal data to the CRAs, we require your consent and your retailer / broker will discuss this with you.
Unfortunately, if you do not consent, we are unable to underwrite your application so your application for our product(s) will proceed no further. During the underwriting process, we will share your personal data with Experian and Equifax. If you electronically sign your finance agreement, we will share your personal data with TransUnion.
These credit reference agencies will also share data about you with other companies and organisations. Full information on how CRAs process your data is available here. This is known as the Credit Reference Agencies Information Notice (“CRAIN”) and a printed copy is available from your retailer / broker.
5.7. Fraud Prevention Agencies
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed, for example: name, address, date of birth, address, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above. Further information regarding automated decisions is provided under section 8.6 of this policy.
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
For more information or to exercise your data protection rights please, please contact us using the contact details above.
You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.
For information regarding the fraud prevention agencies used by Leasys UK Ltd, you may email or write to us here or by visiting www.nhunter.co.uk
6. WHERE WE STORE YOUR PERSONAL INFORMATION OUTSIDE THE EEA
All information you provide to us may be transferred to countries outside the UK and the European Economic Area (EEA). We are working with some third party service providers who are located in a country outside of the UK and the EEA (for example some of our IT providers have service centres in Australia, Canada and India). These countries may not have similar data protection laws to the UK.
In such cases, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on these providers, including the appropriate model contractual clauses that aim to ensure adequate protection. Please contact us using the details at the end of this policy if you would like more information about the protections that we put in place.
If you use our services whilst you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
7. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We have documented this in our Data Retention Policy.
We do not retain personal information in an identifiable format for longer than is necessary.
We may need your personal information to establish, bring or defend legal claims, in which case we will usually retain your personal information for 6 years after the last occasion on which we have used your personal information in one of the ways specified in How we use your personal information Section 4.
The only exceptions to this are where:
8. YOUR RIGHTS
8.1. Your ‘data subject’ rights
You have a number of rights in relation to your personal information under data protection laws. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.
We will aim to deliver the data you request, however it may not always be possible. If your request is excessive or unfounded or would require a disproportionate effort to meet, we may charge a reasonable fee. Unfortunately in some cases we may not be able to provide with all of the data you request. If that happens, we will explain why.
8.2. Accessing your personal information
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us here. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.3. Correcting and updating your personal information
The accuracy of your information is important to us. If you change any of your personal details or if you want to correct any inaccuracy in your personal data, please contact us and we will be happy to assist.
8.4. Withdrawing your consent
Where we rely on your consent as the legal basis for processing your personal information, as set out under How we use your personal information in Section 4, you may withdraw your consent at any time by contacting us using the details here.
If you would like to withdraw your consent to receiving any direct marketing, please refer to Marketing in Section 10.
8.5. Objecting to our use of your personal information
Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), as out under How we use your personal information in Section 4, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy.
Except for the purposes for which we are sure we can continue to process your personal information, we will usually temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
8.6. Automated decisions made about you
When we underwrite our customers, as part of our investigations and assessments into the suitability of our finance products for them, we may automatically accept or decline your application based on a set of predefined criteria.
You may contest a decision made about you based on automated processing and request a natural person to make this decision, by contacting your dealership. If your finance application is automatically declined, you will be provided with details on how to object.
We also use automated data processing to assist in compliance with our legal obligations in connection with prevention of money laundering, fraud and terrorist financing, for example, to screen for suspicious transactions.
8.7. Erasing your personal information or restricting its processing
In certain circumstances, you may ask for your personal information to be removed from our systems by contacting us using the details here. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your personal information in the following situations:
In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so; for example, for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
8.8. Transferring your personal information in a structured data file (data portability)
Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under Section 4 How we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly-used and machine-readable form, such as a CSV file.
You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.9. Complaining to the UK data protection regulator
You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details.
9.1. Security measures we put in place to protect your personal information
We use technical and organisational security measures to protect the personal information supplied by you and managed by us against manipulation, loss, destruction, and access by third parties. Our security measures are continually improved in line with technological developments.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information whilst in transit to our website and any transmission is at your own risk.
Where we have given (or where you have chosen) a password which enables you to access an account, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
9.2. Use of 'cookies'
'Cookies' are small pieces of information sent to your device and stored on its hard drive to allow our websites to recognise you when you visit.
Information on the cookies that we use and their features can be found here.
9.3. Links to other websites
In addition, if you are linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.
9.4. Social plugins
If you are a member of a social network and do not wish it to combine data retrieved from your visit to our websites with your membership data, you must log out from the social network concerned before activating the buttons.
We have no influence on the scope of data that is collected by the social networks through their buttons. The data use policies of the social networks provide information on the purpose and extent of the data that they collect, how this data is processed and used, the rights available to you and the settings that you can use to protect your privacy.
We or our marketing agents may contact you with targeted advertising delivered online through social media and platforms (operated by other companies) by using your personal information, or use your personal information to tailor marketing to improve its relevance to you, unless you object.
For marketing purposes, Leasys UK Ltd is the data controller and we rely on our legitimate interests to market similar products and services to you.
When you sign your finance agreement, you are giving us your permission for the duration of your Agreement to communicate with you about products and services we each may think are of interest to you. You may opt-out of receiving marketing communications before you sign the agreement or at any time afterwards.
We may contact you by telephone, email, SMS and post. We may also analyse our customer databases to enable us to do targeted marketing (known as ‘profiling’).
SMS, telephone and email are known as ‘electronic marketing’ and we are required to ask your permission to communicate with you in these ways. Before you sign your agreement, you will be given an opportunity to opt-out. If you did not opt-out at the time you signed your agreement with us, we regard your permission to electronic marketing to be valid for the entire duration of the agreement. Of course, you may opt-out at any time.
When you signed your agreement with us (unless you opted-out), you gave us permission to market to you by telephone, email, SMS and post. If you would like to change these communication preferences please let us know.
From time to time we carry out marketing activities which are targeted towards a selected group of customers. In order to select those customers, we may use what is known as ‘profiling’, for example selecting our customers by age, gender or location.
10.3. Opt out from marketing communications
As well as being given the opportunity to opt-out when you signed your agreement, you may opt-out of marketing communications at any time in the following easy ways:
We may collect your preferences to send you marketing information directly from us by email / post / telephone / SMS, if you request a quote for one of our products or services on our websites (Leasys UK Ltd and our brands’ websites).
10.5. Use of suppliers and agents to communicate with you for marketing purposes
We have appointed many of our retailers, brokers as our processors to carry out marketing activities on our behalf. These may include analysing marketing data on our behalf in order to determine the best offer to make to you. They may contact you on our behalf if we ask them to but only if you have not opted out of marketing communications.
11. CHANGES TO THIS POLICY
We may review this policy from time to time and any changes will be published on our website. We may also contact you by email. Any changes will take effect 7 days after the date of our email or the on the date on which we post the modified terms on our website, whichever is the earlier. We recommend that you regularly check for changes and review this policy when you visit our website.
If you have any queries about any aspect of our policies, please do not hesitate to contact us.
12. CONTACT OUR DATA PROTECTION OFFICER
If you want to contact us about anything in this policy or for any further query, please contact our Data Protection Officer (DPO) at: