Data protection statement

General Data Protection Regulation

This page explains how VAT Loans handles personal data, consent, data sharing, security, individual rights and complaints under GDPR.

Contact VAT Loans
View your rights
1

Transparency

Customers must be told what is done with their personal data, why it is used and what rights they have.
2

Control

Customers have more control over access, correction, deletion, objection and how long data is kept.
3

Consent

VAT Loans records when consent is given and expires consent seven years after it has been given.
4

Security

The company uses cloud storage, controlled CRM access, staff training and password protection.

Introduction

General Data Protection Regulation applied to all EU states from 25 May 2018. GDPR gives people more control over how their personal data is used and gives businesses a clearer legal environment in which to operate.
VAT Loans states that it has always complied with data protection laws and regulations surrounding personal data. The company changed processes and policies to support GDPR compliance from 25 May 2018.

Data Controllers and Data Processors at VAT Loans

A Data Controller states how and why personal data is processed. VAT Loans has three Data Controllers and will provide names where there is a valid request. Different Data Controllers apply for different office locations and VAT Loans companies.
A Data Processor is the person at VAT Loans who processes data. Team members in sales, operations, finance and marketing roles can process data at VAT Loans.
Data Controllers must ensure processors abide by the law, keep records of processing activities and process data lawfully, transparently and for a set purpose. Once the purpose has been fulfilled and the data is no longer required, it needs to be deleted from VAT Loans systems.

Lawful basis and consent

VAT Loans states that processing is lawful where a person has consented for the company to hold and process their personal data, or where collecting the data is in the company’s legitimate interest, such as preventing fraud.

VAT Loans asks people to submit their email address and click a link connected to the company CRM system. This records the date and time consent was given.

VAT Loans works with companies, charities and government bodies, mainly in the UK but also elsewhere in the EU. A person may be a finance prospect, an end user customer where VAT Loans has arranged a finance facility, or a reseller or manufacturer of equipment.

Consent allows VAT Loans to market no more than once per month and to communicate about business opportunities the company may be working on.

VAT Loans requires consent for Know Your Customer requirements, to reduce fraud and malpractice, and to maintain a commercial relationship with stakeholders so it can supply appropriate services and products.

You can withdraw consent for VAT Loans to hold your data at any time, without giving a reason. Once VAT Loans has received notice, details will be removed from systems and marketing lists within seven working days.

VAT Loans expires consent seven years after it has been given. The company states this period is connected to lease contracts that can run for five years, with one year before a contract may be completed and one year after the agreement ends.

What data is held and why?

VAT Loans states that personal data could relate to economic, cultural and mental health information, and that it does not hold this data.
Profiling means automated processing of personal data to evaluate aspects relating to a person, including interests, behaviour, health and location. VAT Loans states that it may collect the following information:
Personal interests, used by account managers to help build relationships.
Health information, only to ask how someone is later or to avoid causing offence or harm.
Location information, such as where a person lives, where there may be a need to meet or discuss local business events.
Age information, which may be needed when underwriting a finance agreement or carrying out KYC checks.
Gender information, used for the purpose of writing to someone.
Spouse and children names or years of birth in some instances, used to build a closer working relationship.
Contact data, including mobile phone number and email address.

Sharing data

VAT Loans states that it will not sell personal data to any third parties without written consent.
Personal data may be used for credit approvals and certain data may be stored for fraud prevention, contacting end user customers in the event of default, and resolving problems relating to the supply of equipment where the person is a supplier to a customer.

Third parties data may be shared with

  • Finance companies that offer leasing and finance facilities, where VAT Loans is looking at a specific business opportunity or has been requested to provide information due to a dispute, default or general problem.
  • Companies in the VAT Loans group, defined by common directorship or shareholding.

Data obtained from third parties

VAT Loans may obtain data from a third party, often where a supplier passes information about a prospect they are working with. VAT Loans states that it will load and keep this information to help obtain a credit acceptance, as long as the information is appropriate to its needs. On request, VAT Loans says it will disclose what information it holds and the third party it received it from.

Soft opt-in

VAT Loans describes soft opt-in as a way to communicate with an individual who has not opted in from 25 May 2018, where that individual is a prospect, customer or supplier with whom VAT Loans has spoken about leasing.
The company states that, under its interpretation of the soft opt-in rules, it may communicate by email where the subject matter relates to leasing and asset finance, and only where VAT Loans can clearly demonstrate it has communicated with the person before about a relevant subject matter.

What VAT Loans has done to comply

The board of directors has been briefed on GDPR and has appointed internal Data Controllers.
Existing staff and new recruits go through a one-day data protection training course as a minimum.
A yearly refresher course is provided.
Company mobile phones are password protected.
Company laptops are password protected and staff are aware of the need to keep them safe.
CRM, Word, Excel and Outlook data are stored in the cloud via a Microsoft storage facility.
Bulk downloading from the CRM system is restricted to Data Controllers.
Excel spreadsheets are deleted when no longer needed.
The office is paperless and documentation that can hold personal data is stored in the CRM system.
The CRM system is protected, hosted offsite, backed up daily and accessed with individual logins.

Your rights as an individual

The General Data Protection Regulation includes the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision-making including profiling

7 working days

Removal from systems and marketing lists after consent is withdrawn.

7 years

Consent expiry period stated by VAT Loans.

2 working days

Response time for GDPR and data questions.

Security breach and complaints

In the event of a security breach

VAT Loans states that it takes data security very seriously and uses best endeavours to ensure its systems and procedures provide a high level of data security. If a data breach occurs, VAT Loans will analyse the situation, report it to the necessary authorities and communicate with any individuals who may have been affected.
VAT Loans states that it aims to report information to the Information Commissioner’s Office within 48 business hours and communicate with any affected individual within 72 hours.

Filing a complaint

If you feel it is appropriate to file a GDPR complaint, VAT Loans directs individuals to the Information Commissioner’s Office.
  • Organisation: Information Commissioner’s Office
  • Website: ico.org.uk
  • Telephone: 0303 123 1113

Need help with a data request?

Use the VAT Loans contact page or call the team to ask about consent, data held, data correction, data deletion or GDPR questions.
Contact VAT Loans