The protection of your personal data is important to us. Any references to data in this notice refer to your personal data i.e. any information that may directly or indirectly identify you. The following paragraphs provide information about what we do with your data, in particular how we use your data and with whom we share your data. We are obliged to provide this information under the EU General Data Protection Regulation (GDPR).
Please read the following information carefully.
We process data both within and outside the European Economic Area (EEA). We process all data in line with applicable data protection requirements.
Note on transfer of third-party data by the customer: If you provide us with personal data relating to your spouse, civil partner, relatives or other third parties (such as guarantors), you are responsible for complying with the relevant data protection requirements. It may be necessary to obtain the consent of the persons in question to the transfer of their data.
Please address any communication for the attention of our Data Protection Officer to: Data Protection Officer, Vauxhall Finance plc, Heol-y-Gamlas, Parc Nantgarw, Treforest, Cardiff, CF15 7QU.
You can also contact the Data Protection Officer by phone on 01443 846274, or by email at firstname.lastname@example.org.
We obtain the data directly from you when you apply for our products and services. You may choose to not supply us with your data, but this may result in us not being able to enter into an agreement with you.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details. * This list is not exhaustive
We will also obtain data from you throughout the life of your agreement – this may be from letters or emails you send to us, from information we obtain through your use of our online account management system, or from telephone calls we have with you (and we may keep recordings of any such telephone calls).
We also obtain your data from the following sources, if it is necessary in the context of our business relations with you, and in line with the relevant data protection laws*:
*This list is not exhaustive.
We process your data in order to be able to provide our services to you and in order to meet our contractual duties, as follows:
We also process your data where it is necessary to do so for our legitimate interests. A legitimate interest is where we have a business or commercial reason to process your data, without it being unfair to your rights or best interests, such as: developing and improving our products and services; performing our contractual, reporting and legal duties efficiently; and structuring our business appropriately. We process your data for the following legitimate business purposes:
We may also process your data to comply with legal, regulatory and other governance obligations, including:
Our other group companies may also process your data for the following purposes: internal or external audits; accounting; managing operational, market and credit risks at a group level; and to identify or avoid fraud or other criminal acts.
We will share your data with our employees who require such access in order to meet our contractual and statutory duties. Service providers instructed by us may also receive data in this context. These are companies that fall within the categories of credit-related services, account management services, IT services, logistics, printing services, telecommunications, debt collection, advisory and consulting services, as well as sales and marketing. We may also share your personal data with regulatory authorities, courts and tribunals, government agencies and law enforcement agencies (such as the police), where required to do so.
Other parties we may share your data with include the following:
We may need to confirm your identity before we are able to provide you with our product and services. We may share your personal data with Fraud Prevention Agencies (FPAs) to help us detect fraud and money laundering.
We share your data with FPAs on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. FPAs can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
We and/or the FPA may also enable law enforcement agencies to access your personal data to detect, investigate, and prevent crime.
To enable us to provide our product and services to you, we may need to carry out credit and identity checks. We use Credit Reference Agencies (CRAs) to help us with this. We will share your data with the CRAs and they will provide us with information about you.
This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public information (including from the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the Credit Reference Agency Information Notice (CRAIN). CRAIN is accessible from each of the three CRAs – visiting any of these web addresses will take you to the CRAIN document: www.equifax.co.uk/crain , www.experian.co.uk/crain , www.callcredit.co.uk/crain .
We will also share your data with recipients outside the EEA, such as the USA and India. If we do then we will make sure that it is protected in the same way as if it was being processed in the EEA.
Some countries or territories outside the EEA do not have an adequate level of data protection corresponding to the UK level of data protection. In order to protect your data and to achieve an adequate level of protection for your personal data when we transfer it to one of these countries or territories, we will ensure that one or more of the following safeguards are put in place:
You can learn more about this at the European Commission website here: https://ec.europa.eu/info/law/law-topic/data-protection_en
You can also contact our Data Protection Officer if you would like further information, using the details above.
We may make automated decisions (i.e. a decision made solely by automated means without any human involvement) when deciding whether to approve your application for one of our financial products or services, if sufficient information is available from internal and external sources. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your pervious submission, or you appear to have deliberately hidden your true identity.
More information on how we may automatically evaluate your creditworthiness is provided in the next section of this notice.
Some of your data is processed automatically in order to evaluate certain personal aspects (profiling). We may use profiling in the following circumstances:
We will keep your personal data for as long as you remain a customer. Once your agreement with us comes to an end we may keep your data for up to 10 years for the following reasons:
We may need to retain your data for longer if we are unable to delete the data for legal, regulatory or technical reasons. If this is the case we will ensure that your privacy is protected.
Account information given to CRAs will be kept on file even after the account is closed (whether settled by you or upon default), to enable us to comply with obligations under applicable law.
You may have the following rights in relation to your data:
You have an absolute right to object to the processing of your data for direct marketing purposes (including profiling relevant to direct marketing). If you object to us processing your data for direct marketing purposes, you will need to notify us, and we must accept your request and stop the processing as soon as we receive your objection.
In order to assert any of the above rights, please feel free to contact us directly using the contact details specified above (see section “Who are we?” above).
In addition, you have the right to lodge a complaint in relation to our processing of your data with the supervisory authority, the Information Commissioner (ico.org.uk).