- The types of personal data that PremFina will collect;
- Why PremFina will collect and use your personal data;
- When and why we may share data within PremFina and with other organisations;
- The rights and choices you have when it comes to your personal data; and
- Why and how PremFina collects and processes your personal data through your use of this website, including any data you may provide through this website when you use any of the services by PremFina and to anyone else who contacts or otherwise submits Information to any of the PremFina companies.
‘PremFina’ consists of PremFina Ltd, registered in England and Wales, under company number 07208343, and PremFina Ireland Ltd (registered in the Republic of Ireland, under company number 654567, and trading as PremFina Ireland and PremFina Technologies), as well as their parent companies, affiliates and any of their subsidiaries.
92 Albert Embankment
PremFina Ireland Ltd
Republic of Ireland
Both companies are the respective data controller in the United-Kingdom and in the Republic of Ireland, as defined under European Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). PremFina Ltd is registered as a data controller with the UK Information Commissioner’s Office (‘ICO’), with registration number Z2931422.
PremFina may collect personal data from data subjects aged 16 years old and over.
2. WHAT TYPE OF PERSONAL DATA DOES PREMFINA COLLECT AND PROCESS?
2.1. INFORMATION YOU PROVIDE TO US
a) Enter into a contract or credit agreement or money lending agreement with PremFina, we may collect the following personal data from you:
(i). Your name;
(ii). Your contact details, including postal address, telephone number and e-mail address;
(iii). Your date of birth;
(iv). A copy of your signature;
(v). Your country of residence;
(vi). Employment and residential status (including time at current address);
(vii). Bank account details (including usage data); and/or
(viii). Any other information necessary for regulatory compliance.
b) Use this website, we may collect the following personal data from you:
(i). Your name;
(ii). Your contact details, including postal address, telephone number and e-mail address;
(iii). Your IP address; and/or
(iv). Any other information necessary for regulatory compliance.
c) Contact us, either through this website or via email, letter or phone, we may collect the following personal data from you:
(i). Your name and contact details, including postal address, telephone number and e-mail address;
(ii). The reason(s)s for your contact; and/or
(iii). Any other information necessary for regulatory compliance.
d) Interact with us on social media, (including but not limited to ‘follow’, ‘like’ and/or ‘post’), we collect information about or included in those interactions.
2.2. INFORMATION WE COLLECT ABOUT YOU
a) We may also collect data about you from credit reference agencies, public sources, insurance intermediaries, third-party service providers, government, tax and/or law enforcement agencies, but only where such third-parties have confirmed that they have your consent or are otherwise legally permitted or required to disclose your personal data to us. Where necessary, we may combine such data with information which we may already hold about you (for example, if you have previously obtained products and/or services from PremFina or have had previous contact with PremFina).
b) When you contact us, we monitor and record calls, emails and any other communications in accordance with applicable law.
c) Each time you visit our website, we may also automatically collect information and personal data about your computer for system administration including, where available, your IP address, operating system and browser type. We do this to help us analyse how users use our website (including how you move around our website, timestamps, behaviour patterns and the tracking of visits across multiple devices), to establish more about our website users and to assist us in managing and improving your online experience. Please see our cookies policy for further information about what information may be automatically collected when you visit our websites.
3. HOW DOES PREMFINA USE YOUR PERSONAL DATA?
3.1. PREMFINA’S USE OF YOUR INFORMATION
We may use information about you to:
- Enter into and perform any contract PremFina has with you;
- Provide you with a quote for our services;
- Provide you with information and services that you request from us;
- Gather information and insights on how users are using our services and site to improve our products and services as well as to develop new products and services;
- Comply, where necessary, with applicable laws or regulatory rules;
- Check your information with UK credit reference and fraud prevention agencies to get information on your credit behaviour with other organisations. Please see further details in section 3.2 below regarding UK credit reference agencies;
- Keep internal records, including but not limited to, details regarding products and/or services provided by PremFina to you;
- Contact you (directly, either by PremFina or through a relevant partner or agent);
- Manage our relationship with you, including notifying you of changes to the services, providing customer support and assisting with customer complaints;
- Share, with your consent, your details with our trusted partners who may use it to provide you with information related to their products and services;
- Perform or undertake analysis and/or research of our products and services;
- Interact with you on social media platforms including posting status updates, responding to comments/messages, posting, ‘retweeting’ and ‘liking’ posts on Facebook, Twitter and LinkedIn;
- Administer our site and for internal operations, including security, troubleshooting, data analysis, testing, research, statistical and survey purposes; and/or
- Send you marketing communications.
We may use your data for other legitimate business purposes including, but not limited to, management analysis, funding requirements, audits, forecasts, business planning and transactions. We may also use your data to establish or exercise our legal rights and to comply with law enforcement or other government agency requests or court orders. We will do so in compliance with applicable laws, regulatory requirements as well as our data protection policies.
Please note that this list may be updated from time to time as PremFina’s business needs and legal requirements dictate.
3.2. CREDIT REFERENCE AGENCIES (UK)
When you enter into a credit agreement with PremFina Ltd, we will supply your personal data to credit reference agencies, in compliance with applicable laws or regulatory rules, and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.
We will continue to exchange information about you with credit reference agencies on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. Credit reference agencies will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.
The identities of the credit reference agencies, and the ways in which they use and share personal data, are explained in more details by each of the three credit reference agencies that PremFina Ltd uses in the United Kingdom at www.callcredit.co.uk/crain, www.equifax.co.uk/crain and www.experian.co.uk/crain.
4. AUTOMATED DECISION MAKING AND PROFILING
Automated Decision Making refers to a decision which is taken based on automated processing of your personal data (for example, using software code or algorithm, without human intervention).
Profiling refers to the use of automated processes to analyse your personal data in order to evaluate your behaviour or to predict, in the context of premium financing, your risk profile.
Before entering into a credit agreement or money lending agreement with PremFina, we may use credit scoring techniques and automated decision-making systems to assess your application. These credit scoring techniques and automated decision-making systems consider previous applications for finance, defaults or existing debt and are necessary for PremFina to ensure you can afford a credit with us.
You have certain rights in respect of automated decision-making, where that decision has significant effects on you, including where it produces a legal effect on you (refer to section 11 about your rights).
5. SPECIAL CATEGORIES OF DATA
Data protection laws define certain personal data as falling into ‘special categories of personal data’ such as personal data regarding your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning your health (including mental and physical health), data concerning your sex life or sexual orientation.
You may voluntarily give such personal data to us in connection with your loan repayments. In the unlikely event you do so, PremFina will only keep a record of this special category of personal data as long as it is in your interest to manage the credit agreement or money lending agreement you entered into with PremFina.
6. BASIS FOR USING YOUR PERSONAL DATA
6.1. NECESSARY FOR THE ENTRY INTO OR PERFORMANCE OF A CONTRACT
When you enter into a transaction with PremFina or any other entity in the PremFina Group, we will need to collect, process and share (as further detailed in section 7 below) your personal data. Failure to provide the requisite personal data when entering into such an agreement, objecting to this type of processing and/or exercising your deletion rights may unfortunately mean that products and/or services cannot be provided to you.
6.2. LEGITIMATE INTEREST
In certain circumstances we may use your personal data to pursue legitimate interests of our own or that of third-parties, but this is provided your interests and fundamental rights do not override those interests. This is on the basis of:
a) Our legitimate interest and the legitimate interests of third-parties to make decisions about whether or not to offer you credit; and
b) Our legitimate interest to:
(i). Provide you with information and services as requested by you;
(ii). Carry out research to understand our customers and how they use our products and services;
(iii). Develop and improve our services to you and to our other customers;
(iv). Communicate with you and manage our relationship with you;
(v). Administer our site;
(vi). Carry out management analysis, audit, forecasts, business planning and transactions; (vii). Ensure our compliance with applicable laws, regulatory requirements and our policies; and
(viii). Deal with legal claims and related administrative activities.
We consider that it is reasonable for us to process your personal data for the purposes of our legitimate interests or the legitimate interests of a third party, as outlined above, as:
- The processing of your personal data does not unreasonably intrude on your privacy and ultimately benefits you in optimising our provision of services to you.
We may, on occasion, send you marketing messages by email and post about us and our events and offers where you have provided clear consent.
You have the right to withdraw your consent to processing of this nature at any time.
6.4. COMPLIANCE WITH A LEGAL OBLIGATION
To meet our regulatory and legal obligations, we need to process some of your personal data.
7. WHO DO WE SHARE YOUR INFORMATION WITH?
a) Other companies in our Group to enable us to provide our services.
b) Third-party service providers relevant to our business activity, such as:
(i). Credit Reference Agencies (refer to section 3.2 above);
(ii). Customer identity verification and due diligence;
(iii). Fraud Prevention Agencies based in the UK and Ireland;
(iv). Financial institutions, payment system operators, payment service providers and other financial services companies;
(v). Electronic signature and secure document solution service providers for sending notification emails and SMS;
(vi). IT developers and IT service providers, including but not limited to cloud computing services and online chat functionalities;
(vii). Customer Relationship Management technology to manage interactions with our customers;
(viii). Supplier of technology systems and software for the insurance industry;
(ix). Debt Recovery Agency in the UK and in Ireland to enable us to enforce our legal rights;
(x). As well as any other service providers we may appoint from time to time in accordance with our basis for using your personal data explained in section 6 above.
c) With your permission, we may also share your personal data with our trusted partners who may use it to provide you with information related to their products and services.
d) External legal counsel and other professional advisers including accountants and auditors.
e) Government authorities, law enforcement and regulatory authorities where required or permitted by law and/or for tax or other purposes. Personal data may also be disclosed to external parties in response to legal process, and when required to comply with laws.
f) To any prospective or actual funders/investors to enable them to assess the value of our assets.
8. WILL YOUR PERSONAL DATA BE TRANSFERRED ABROAD?
Following the European Union (‘EU’) Commission adequacy decisions for the UK with respect to the GDPR and the Law Enforcement Directive, personal data can flow freely between the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.
Alternatively, we may rely on appropriate safeguards in respect of transfers of personal data to a country outside of the EEA, for example, by agreeing standard contractual clauses adopted by the European Commission. A copy of the standard contractual clauses are available on the EU Commission’s website.
9. RETENTION OF YOUR PERSONAL DATA
We will typically keep your personal data for 6 years from the termination of your credit with PremFina in order to enable us to deal with any issues or concerns you may have about how we handled your account, and also to allow us to bring or defend legal proceedings. In some circumstances, some of your data will be deleted in much shorter timescales, such as call recordings which shall be kept for a maximum of 12 months from the date of recording.
10. WHAT SAFEGUARDS ARE IN PLACE TO PROTECT YOUR PERSONAL DATA?
The security of your personal data is very important to PremFina. We strive to implement and maintain appropriate technical and organisational security measures, procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorised access, destruction, use, modification, or disclosure, such as:
- Ensuring the physical security of our offices;
- Ensuring the physical and digital security of our equipment and devices by using appropriate password protection and encryption;
- Ensuring the security of our databases by using suppliers who use industry-standard encryption and physical security measures;
- Conducting ID verification and fraud detection;
- Conducting security, penetration and bug testing;
- Maintaining a data protection policy for, and delivering data protection training to, our employees; and
- Limiting access to your personal data to those who need to use it in the course of their work.
As for all website operations, we cannot guarantee the security of any transmission of personal data over the Internet. Any communications over the Internet such as e-mails are not secure unless it has been encrypted. While we strive to protect such information, we can however not ensure the security of any information transmitted to us. Please do not submit personal data through the website without considering the security risks and implications of using the Internet.
11. WHAT ARE YOUR RIGHTS?
In this section, we have summarised the rights you have under the data protection laws in relation to how we process your personal data, which are set out below. You may contact us to request additional details or to exercise these rights by sending an email to firstname.lastname@example.org or email@example.com. In some instances, we may be unable to carry out your requests, in which case we will write to you to explain why.
You have a right:
b) To access personal data we hold about you (through us providing a copy), to request confirmation that your personal data is being processed and other information about how we process your personal data. You may submit a request to obtain a copy of the personal data we hold about you, which should be provided to you by us free of charge. However, we may charge a reasonable fee when the request is manifestly unfounded or excessive, particularly if it is repetitive.
c) To rectification of personal data we hold about you in case it is inaccurate or incomplete. We will ensure that inaccurate or incomplete data are rectified as soon as possible once notified.
d) To erasure, also known as the ‘right to be forgotten’, of any personal data we hold about you where there is no compelling reason for its continued processing. We have however a legal obligation to hold your personal data during the duration of any Agreements we entered into with you and we may retain a copy of your personal data in accordance with applicable law upon termination of such Agreements and/or in case it is required for the establishment, exercise or defence of legal claims.
e) To restrict the processing of your personal data in case:
(i). You contest the accuracy of the personal data we hold;
(ii). You would rather we block the processing of your personal data instead of erasing your data;
(iii). We no longer need the personal data for the purpose we collected it for, but we require your personal data for the establishment, exercise or defence of legal claims; or
(iv). In certain circumstances, you have objected to processing of your personal data for automated decision making.
f) To portability to obtain and reuse the personal data that you have provided to us and that we process by automated means. This allows you to move personal data easily to another organisation, or to request us to do this for you.
g) To object to processing your personal data on the basis of our legitimate business interests, unless we are able to demonstrate that, on balance, our legitimate interests override your rights or we need to continue processing your personal data for the establishment, exercise or defence of legal claims.
h) To withdraw your consent, to the extent that the legal basis for our processing of your personal data is consent. Withdrawal will not affect the lawfulness of processing before the withdrawal. Your withdrawal does also not mean the erasure of your personal data from our databases as it may still be required for the purpose of any agreements, we have entered into with you and/or for the establishment, exercise or defence of legal claims.
i) Related to automated decision making, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you unless the automated decision is necessary for entering into, or performance of, an agreement with us, or it is authorised by the UK, Union or Member State law which lays down suitable measures to safeguard your rights, freedoms and legitimate interests, or unless such automated decision is based on your explicit consent.
You may exercise any of your rights in relation to your personal data or obtain further information about this Policy by contacting us at firstname.lastname@example.org or email@example.com and/or write to us at:
92 Albert Embankment
PremFina Ireland Ltd
Republic of Ireland
If you have any reason to complain about a problem related to our use of your personal data, please contact us using the above details and we will do our best to resolve such problem as soon as possible. If you consider that our processing of your personal data infringes data protection laws or if you consider the solution to a complaint you raised is not satisfactory, you also have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The UK’s supervisory authority is the Information Commissioner’s Office (https://ico.org.uk) and the Irish supervisory authority is the Data Protection Commission (https://www.dataprotection.ie).
12. OTHER WEBSITES
Our website may, from time to time, contains links to and from the websites of third-parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or your use of those websites.