We wish to reaffirm our commitment to maintaining the safety of any of your personal data that may come under our control over the course of any related dealings safe and secure.
We promise to store your data safely, confirm that we will not sell your information on to any affiliates or 3rd Parties and wish to assure you that we are committed to protecting the data you have entrusted us with.
In providing you access to financial products and services, we may be required to process your personal data. This Privacy Notice sets out the ways in which Response Business Finance (“RBF”) are committed to protecting and respecting your personal data, including what we do with your information and who it will be shared with. It will provide you with information about your privacy rights and how the relevant legislation protects your interests.
This Privacy Notice may be subject to change over time and we will keep it up-to-date on our website, for you to access at any time.
Regulation and Definition
For the purpose of the European Data Protection regulations (the ‘GDPR’) and the Data Protection Act 2018 (‘the Act’), our role, as per our GDPR Policy, will fall under the definition of Data Controller.
Our address for any queries, complaints or related correspondence is 9a Dean's Rd, Old Wolverton, Wolverton, Milton Keynes MK12 5NA.
If you have any direct questions, or want more details about how we use your personal data, you can ask us by emailing https://www.responsebusinessfinance.co.uk/privacy-policy or call us on 01908 597 937 (+44(0)1908 597 937 from outside the UK).
What information will we collect about you?
When you engage with us (either directly or via a third-party), we may receive personal information about you which may include your name, address, date of birth, bank details, details about your employment, and other categories of as information outlined in the table below. This can be collected directly from you or via an intercessor such as an Accountant, Introducer, Independent Financial Advisor (“IFA”), or Solicitor
The data may be submitted in writing, input on our website, passed to us over the telephone, contained within an e-mail, or by some other means.
Categories of data we may collect
We will not collect or process ‘Sensitive Personal Data’ without having both a legal basis to do so and your explicit consent.
You must not send us personal data about someone else without first getting his or her consent for it to be used and disclosed in the ways set out in this Privacy Notice. If we do receive data within this classification (see our GDPR Policy re: Sensitive Personal Data) we will assume that the Data Subject has consented. As a precautionary measure, we reserve the right to ask for confirmation of consent from the Data Subject directly.
How the Legislation protects you
As well as our Privacy Notice, your data privacy is protected by law. This section explains how that works.
Data Protection law places an obligation on us to use personal information only if we have a valid reason to do so.
The law says we must have one or more of these valid reasons:
(1) To fulfil a contract we have with you;
(2) Further to an overriding legal obligation;
(3) As part of our legitimate interest*;
(4) Further to the consent of the Data Subject.
* A legitimate interest is when we have a commercial objective for using your information, provided that it does not interfere with your fundamental rights and freedoms. If we rely on our legitimate interests, we will tell you specifically what that interest is.
Here is a list of all the ways that we may use your personal information. This is also where we tell you what our legitimate interests are:
- Who we share your personal data with;
- We will never sell or lease your personal information to any third party;
RBF may transfer, disclose or distribute your personal information in the following circumstances:
where we have your permission;
where we are required to do so by law;
where there are legitimate interests for processing – i.e. where it is passed on to a Lender or alternative finance brokerage;
where the transfer or disclosure would otherwise be in compliance with legal requirements we are subject to including, but not limited to, statute or regulation.
Where we store your personal data
We will take the necessary steps to ensure that your data is treated securely and in accordance with this Privacy Notice.
We will only send your data outside of the European Economic Area (‘EEA’):
- in accordance to your express instructions;
- in compliance with a legal obligation or order.
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services. We may transfer your personal data to recipients located in countries outside of the EEA which may not have data privacy laws equivalent to those in the EEA. In those instances, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice and applicable data privacy laws.
How long we keep your personal data?
We will keep your personal data for as long as you are a client of RBF and, potentially, for up to for 7 years* after that for one of these reasons:
(1) To respond to any questions or complaints;
(2) To document that we acted in accordance with any legal obligation for fair and unbiased treatment;
(3) To maintain records according to rules that apply to us (e.g. 2007 Anti-Money Laundering regulations).
*We may keep your personal data for longer than 7 years if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that your privacy is protected and only use it for those purposes. We may also keep it for research or statistical purposes unless you object.
We or our lenders may use a system to decide whether to lend money to you or your business, when you apply for credit – this is called credit scoring. It uses past data to assess how you’re likely to act while paying back any money you borrow. This includes data about similar accounts you may have had before.
Credit scoring uses data from three sources:
- Your Proposal Form;
- Credit Reference Agencies;
- Data we may have held previously.
Banks and other lenders use this to help make responsible lending decisions that are fair and informed. Credit scoring methods are tested regularly to make sure they are fair and unbiased.
As a person you have rights over automated decisions
You can ask that we or our lenders do not make our decision based on the automated score alone. You can also object to an automated decision and ask that a person reviews it. If you want to know more about these rights, please contact us.
How to get a copy of your personal data
See the contact details above.
As Data Subjects, clients will have the right to ask us for confirmation as to whether or not personal data concerning them is being processed and for what purpose.
A copy of the information being held for processing will be provided to our clients freely, in an electronic format.
Letting us know if your personal data is incorrect
You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us if you want to do this. If you do, we will take reasonable steps to check its accuracy and correct it.
What if you want us to stop using your personal data?
You have the right to object to our use of your personal data, or to ask us to delete, remove, or stop using your personal data if there is no need for us to keep it. This is known as the ‘right to object’ and ‘right to erasure’, or the ‘right to be forgotten’.
There may be legal or other official reasons why we need to keep or use your data but please tell us if you think that we should not be using it.
We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted. You can ask us to restrict the use of your
personal data if:
- it is not accurate;
- it has been used unlawfully but you don’t want us to delete it;
- it not relevant any more, but you want us to keep it for use in legal claims;
- you have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it; or
- if you want to object to how we use your data, or ask us to delete it or restrict how we use it or, please contact us.
How to complain
Please let us know if you are unhappy with how we have used your personal data. You also have the right to complain to the Information Commissioner’s Office. Find out on their website how to report a concern – https://ico.org.uk/concerns/
The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
It replaces the Data Protection Directive 95/46/EC and was designed to reshape the way organisations approach data privacy. Its aim is to harmonise data privacy laws across Europe.
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The special categories of personal data are personal data revealing:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership.
They also include the processing of:
biometric data for the purpose of uniquely identifying a
data concerning health;
data concerning a natural person’s sex life or sexual
Sensitive Personal Data
"Sensitive Personal Data" is personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
Data relating to Criminal Offences
Data relating to criminal offences and convictions may only be processed by national authorities. National law may provide derogations, subject to suitable safeguards. A comprehensive register of criminal offences may only be kept by the responsible national authority.
Data relating to criminal offences are therefore treated separately from Sensitive Personal Data.
Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) by any means or by any person.
The GDPR does not apply to data that are rendered anonymous in such a way that individuals cannot be identified from the data.
Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified.
A good example of pseudonymous data is coded data sets used in clinical trials.
Pseudonymous data are still treated as personal data because they enable the identification of individuals (albeit via a key). However, provided that the "key" that enables re‑identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower.
"Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
In general, the validly obtained consent of the data subject will permit almost any type of processing.
"The consent of the data subject" means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
"Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Notice of a Breach
Under the GDPR, we as Data Processors will be legally obligated to notify our clients of a Data Breach where said breach is likely to “result in a risk for the rights and freedoms of individuals”.
If, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This must be done within 72 hours of first having become aware of the breach.
Data Breaches concerning Health (both Physical & Mental Health)
The idea that health data should be treated as Sensitive Personal Data is well-established.
"Data concerning health" means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. It expressly covers both physical and mental health.
The Client's Right to Access Data
As Data Subjects, clients will have the right to ask us for confirmation as to whether or not personal data concerning them is being processed and for what purpose.
A copy of the information being held for processing will be provided to our clients freely, in an electronic format. The Client's Right to be Forgotten
Clients will have the right to be "forgotten".
This means, in layman's terms, that Data Subjects have the authority to request that we erase their personal data.
The GDPR goes further and also places an obligation on us to cease further dissemination of the data, and potentially have third parties halt processing of the same.
The data will be erased on the condition that (a) it is no longer relevant to original purposes for processing; or (b) the Data Subject withdraws consent for us to use the data.
We are further required to compare the Data Subjects' rights to "the public interest in the availability of the data" when considering such requests.
GDPR introduces data portability.
This means that our clients have the right to request the data we hold against them and then transfer that data to another - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design as a concept is now a legal requirement with the GDPR. Regular Privacy Impact Assessments (PIAs) are part of our contingency plan for ensuring data protection.
We, as Data Controllers, are obligated to "implement appropriate technical and organisational measures in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects."
Article 23 calls for us, as Data Controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Officers
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
As such, RBF will not be required to appoint a DPO.
This is an issue that is front and centre in the news currently following accusations against Cambridge Analytica and Facebook.
Personal data breaches are likely to be one of the major catalysts for many investigations by the Information Commissioner.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission;
loss of availability of personal data.
The government’s Cyber Aware programme provides cybersecurity advice for small businesses and individuals. We highly recommend you familiarise yourself with these resources.
Data Preparation and Integrity
We are now required to provide the personal data in a structured commonly used and machine-readable form.
The GDPR explicitly refers to pseudonymisation and encryption of data as potentially appropriate mechanisms for ensuring the security of personal data. Amongst other measures it mentions are:
(1) ensuring the ongoing confidentiality, integrity, availability and resilience of your processing systems and services;
(2) having the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(3) having a process for regularly testing, assessing and evaluating the effectiveness of your technical and organisational measures for ensuring the security of your processing.
Subject Access Requests (Changes)
(1) Clients will no longer have to pay a fee to have their request processed;
(2) We will have a month (28 days) to comply, rather than the previous 40 days;
(3) We now have a right to refuse or charge for requests that are manifestly unfounded or excessive. However, if we refuse a request, we are obliged to tell the individual why. They then have the option/right to complain to the supervisory authority and to a judicial remedy.
We have to do so without undue delay and at the latest, within one month (28 days).