The protection of your personal data is important to us. Any references to data in this notice refer to your personal data i.e. any information that may directly or indirectly identify you. The following paragraphs provide information about what we do with your data, in particular how we use your data and with whom we share your data. We are obliged to provide this information under the EU General Data Protection Regulation (GDPR).
Please read the following information carefully.
We process data both within and outside the European Economic Area (EEA). We process all data in line with applicable data protection requirements.
Note on transfer of third-party data by the customer: If you provide us with personal data relating to your spouse, civil partner, relatives or other third parties (such as guarantors), you are responsible for complying with the relevant data protection requirements. It may be necessary to obtain the consent of the persons in question to the transfer of their data.
Who are we?
Vauxhall Finance plc ('Vauxhall Finance', also referred to in this Notice as 'we' or 'us') is the data controller of your data. Vauxhall Finance's registered address is Vauxhall Finance plc, Heol-y-Gamlas, Parc Nantgarw, Treforest, Cardiff, CF15 7QU. We are part of the Opel Bank S.A. group of companies.
Our data protection officer
Please address any communication for the attention of our data protection officer to: Data Protection Officer, Vauxhall Finance plc, Heol-y-Gamlas, Parc Nantgarw, Treforest, Cardiff, CF15 7QU.
You can also contact the data protection officer by phone on 0344 871 2222, or by email at firstname.lastname@example.org
Where do we obtain your data from?
We obtain the data directly from you when you apply for our products and services. You may choose to not supply us with your data, but this may result in us not being able to enter into an agreement with you.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details. * This list is not exhaustive
We will also obtain data from you throughout the life of your agreement – this may be from letters or emails you send to us, from information we obtain through your use of our online account management system, or from telephone calls we have with you (and we may keep recordings of any such telephone calls).
We also obtain your data from the following sources, if it is necessary in the context of our business relations with you, and in line with the relevant data protection laws*:
- companies that introduce you to us (i.e. the vehicle manufacturer, motor dealers);
- publicly available information sources;
- regulatory bodies;
- agents or service providers working on our behalf;
- market researchers;
- fraud prevention agencies; and
- credit reference agencies.
*This list is not exhaustive.
Why do we process your data?
We process your data in order to be able to provide our services to you and in order to meet our contractual duties, as follows:
- to enter into and manage our agreement with you and to provide services to you under the agreement;
- to verify your identity;
- To undertake checks for the purpose of preventing fraud and money laundering
- to verify your creditworthiness, in the interests of risk management, to manage operational market and credit risks and for accounting purposes;
- for customer services purposes;
- to notify the dealer of any relevant information in connection with the management of your agreement;
- to make credit and other funding decisions; and
- for debt recovery purposes.
We also process your data where it is necessary to do so for our legitimate interests. A legitimate interest is where we have a business or commercial reason to process your data, without it being unfair to your rights or best interests, such as: developing and improving our products and services; performing our contractual, reporting and legal duties efficiently; and structuring our business appropriately. We process your data for the following legitimate business purposes:
- in order to sell or assign our rights under the agreement to other credit or financial services institutions for refinancing purposes or to debt purchasers;
- in connection with any disposal of our business or assets, or any other restructuring;
- in connection with broader funding, capital markets or securitisation arrangements;
- for account management purposes;
- for internal data exchange and internal reporting purposes;
- for tax administration purposes;
- to comply with our financial accounting requirements;
- for internal and external audit purposes;
- for statistical analysis and market research;
- to manage operational, market and credit risks; and
- for marketing purposes, where permitted by applicable law (including where you have given your consent for us to do so).
We may also process your data to comply with legal, regulatory and other governance obligations, including:
- to comply with applicable laws and other regulatory and compliance obligations, in particular to meet our duties to combat money laundering and terrorist financing;
- to identify and avoid fraud and other criminal acts; and
- to meet conditions imposed by, and to cooperate with, regulatory authorities such as the Financial Conduct Authority, or other competent authorities, such as the Information Commissioner's Office.
Our other group companies may also process your data for the following purposes: internal or external audits; accounting; managing operational, market and credit risks at a group level; and to identify or avoid fraud or other criminal acts.
With whom do we share your data?
We will share your data with our employees who require such access in order to meet our contractual and statutory duties. Service providers instructed by us may also receive data in this context. These are companies that fall within the categories of credit-related services, account management services, IT services, logistics, printing services, telecommunications, debt collection, advisory and consulting services, as well as sales and marketing. We may also share your personal data with regulatory authorities, courts and tribunals, government agencies and law enforcement agencies (such as the police), where required to do so.
Other parties we may share your data with include the following:
- Opel Bank S.A. and each of its worldwide subsidiaries;
- the manufacturer of your vehicle;
- organisations that introduce you to us (such as motor dealers);
- fraud prevention agencies (please see below for more information);
- credit reference agencies (please see below for more information);
- companies that we have a joint venture or agreement to work with;
- companies that you ask us to share your data with;
- companies that we introduce you to; and
- market researchers.
Fraud Prevention Agencies (FPAs)
We may need to confirm your identity before we are able to provide you with our product and services. We may share your personal data with Fraud Prevention Agencies (FPAs) to help us detect fraud and money laundering.
We share your data with FPAs on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. FPAs can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
We and/or the FPA may also enable law enforcement agencies to access your personal data to detect, investigate, and prevent crime.
Credit Reference Agencies
To enable us to provide our product and services to you, we may need to carry out credit and identity checks. We use Credit Reference Agencies (CRAs) to help us with this. We will share your data with the CRAs and they will provide us with information about you.
This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public information (including from the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- assess your creditworthiness and whether you can afford to take the product;
- verify the accuracy of the data you have provided to us;
- prevent criminal activity, fraud and money laundering;
- manage your account(s);
- trace and recover debts; and
- ensure any offers provided to you are appropriate to your circumstances.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the Credit Reference Agency Information Notice (CRAIN). CRAIN is accessible from each of the three CRAs – visiting any of these web addresses will take you to the CRAIN document: www.equifax.co.uk/crain , www.experian.co.uk/crain , www.callcredit.co.uk/crain .
Sending data outside of the European Economic Area (EEA)
We will also share your data with recipients outside the EEA, such as the USA and India. If we do then we will make sure that it is protected in the same way as if it was being processed in the EEA.
Some countries or territories outside the EEA do not have an adequate level of data protection corresponding to the UK level of data protection. In order to protect your data and to achieve an adequate level of protection for your personal data when we transfer it to one of these countries or territories, we will ensure that one or more of the following safeguards are put in place:
- Your data may be transferred to a non-EEA country with privacy laws that give the same protection as the EEA.
- We may put in place a contract with the recipient that means they must protect your data to the same standards as within the EEA. This contract may be in the form of the standard EU contractual clauses which have been approved by the European Commission.
- Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to 'international framework' intended to enable secure data sharing.
You can learn more about this at the European Commission website here: https://ec.europa.eu/info/law/law-topic/data-protection_en
You can also contact our Data Protection Officer if you would like further information, using the details above.
Are automatic decisions passed in individual cases?
We may make automated decisions (i.e. a decision made solely by automated means without any human involvement) when deciding whether to approve your application for one of our financial products or services, if sufficient information is available from internal and external sources. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your pervious submission, or you appear to have deliberately hidden your true identity.
- If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you request, or to employ you, or may stop providing existing services to you
- A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
More information on how we may automatically evaluate your creditworthiness is provided in the next section of this notice.
Is my data used for profiling (scoring)?
Some of your data is processed automatically in order to evaluate certain personal aspects (profiling). We may use profiling in the following circumstances:
- Under statutory and regulatory requirements we are obliged to combat money laundering, terrorist financing and other criminal offences. A number of actions are taken in this context, including data evaluation (for example when payment transactions are processed). At the same time, these measures serve to protect you.
- We use evaluation tools in order to be able to provide you with targeted information and advice on products. These tools enable tailored communication and advertising, including market research and opinion polling. Your information might also be used to collate customer profiles to improve our product and service offerings.
- We use scoring when evaluating your creditworthiness. This involves calculating the probability with which a customer will meet his or her contractual payment obligations. Such calculation may take account of the individual's income situation, spending habits, existing liabilities, profession, employer, duration of employment, experience from the business relationship in the past, contractual repayment of previous loans and information obtained from credit reference agencies. The scores calculated help us to make decisions when entering into contracts and contribute to ongoing risk management.
How long do we keep your personal data?
We will keep your personal data for as long as you remain a customer. Once your agreement with us comes to an end we may keep your data for up to 10 years for the following reasons:
- to meet our regulatory/ legal responsibilities;
- to enable us to respond to any questions or complaints that you may have; and
- to enable us to demonstrate that we treat our customers fairly.
We may need to retain your data for longer if we are unable to delete the data for legal, regulatory or technical reasons. If this is the case we will ensure that your privacy is protected.
Account information given to CRAs will be kept on file even after the account is closed (whether settled by you or upon default), to enable us to comply with obligations under applicable law.
You may have the following rights in relation to your data:
- Right of access – you have a right to request access to your personal data and to certain information about the processing of that personal data. This information must usually be provided to you free of charge within a month of receiving your request.
- Right of rectification (correction) – you have the right to ask for your personal data to be corrected if it is inaccurate, and completed if it is incomplete.
- Right to be forgotten – in certain circumstances you can ask us to erase your personal data. It's unlikely to be possible to accept your request if, for example, we have a contractual or other legal duty to retain your information.
- Right to restriction of processing – in certain circumstances you have a right to restrict the processing of your personal data. This may include when you dispute its accuracy (until the accuracy is proved); if you have objected to the processing (when it was necessary for our legitimate interests) and we are considering whether our legitimate interests override your own; or if we no longer need the data but you need us to keep it in order to establish, exercise or defend a legal claim.
- Right of portability – in certain circumstances, you have the right to move, copy or transfer your data to another data controller or to yourself. This right is only relevant if the data is being processed on the basis of consent or for the performance of a contract, and the processing is carried out by automatic means. This right is different from the right of access, and the types of information you can get under the two separate rights may be different.
- Rights in relation to automated decision making – you may have the right to challenge and request a review of a decision that was made by automated means.
- Right to object – in certain circumstances, you have the right to object to the processing of your data when we are doing so on the basis of our legitimate interests. We must stop processing the data unless we can show that our legitimate interests override your own, or if the processing is necessary for legal reasons.
You have an absolute right to object to the processing of your data for direct marketing purposes (including profiling relevant to direct marketing). If you object to us processing your data for direct marketing purposes, you will need to notify us, and we must accept your request and stop the processing as soon as we receive your objection.
In order to assert any of the above rights, please feel free to contact us directly using the contact details specified above (see section "Who are we?" above).
In addition, you have the right to lodge a complaint in relation to our processing of your data with the supervisory authority, the Information Commissioner (ico.org.uk).