GDPR AND COMPLIANT DATA FOR BUSINESSES
The following policy statement covers our understanding and implementation of the requirements under the Act. We explain here our fundamental tenets under which we manage data.
Faseo Limited are specialist b2b brokers in the UK with the principal director having over 45 years of relevant financial services experience. We are licensed as a broker by our regulating body, the FCA. We utilise and hold some business information for marketing and client data management purposes. We are fully compliant with the requirements as set out in the Data Protection Act 1998 and the General Data Protection Regulation (“GDPR”).
From 25th May 2018 all businesses in the EU will need to comply with the GDPR which is directly concerned with the collection, storage and use of personal data.
The storage and handling of data has, for many years, been governed by the Data Protection Act 1998 (“DPA”) but from May 2018 the GDPR will also become directly effective on all EU Member States, including the UK. GDPR provides a far more robust set of rules for the collection, storage and processing of personal data. In respect of electronic marketing communications, there are additional rules that come from the Privacy and Electronic Communications Regulations 2003 (“PECR”), and with the introduction of the GDPR this is also now in the process of being revised.
WHAT IS PERSONAL DATA?
Definition of Personal Data – Article 4(1) GDPR
“Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Examples of personal data include elements such as name, address, gender, date of birth, but personal data can also include other, perhaps less obvious, identifiers such as IP addresses. Basically, personal data applies to any data from which a living individual (data subject) could be identified.
WHAT IS THE IMPACT OF GDPR?
Every organisation that holds personal data of EU citizens will be affected by GDPR – that includes personnel records, customer details, sales and marketing prospect information, online identifier data, etc.
Organisations will be accountable to the data protection supervisory authorities (in the UK this is the Information Commissioner’s Office). Whilst being accountable is not a new concept in Data Protection law, GDPR requires all organisations to record and document compliance with all applicable aspects of GDPR.
GDPR gives individuals more rights in respect of their data, including more control over and visibility of how their personal data is being used, and the right to have that information removed or corrected if requested.
USING PERSONAL DATA FOR DIRECT MARKETING
Under the DPA and the GDPR, there are six lawful grounds that can be used for the processing of personal data. Consent is one such lawful ground for processing, but not the only one. In the majority of cases, Faseo Limited will rely on another lawful ground for processing of personal data, described here as “Legitimate Interest”.
Relying on Legitimate Interest involves:
- Establishing Faseo’s interest – We lease our data from reputable licensed data brokers who subscribe rigorously to the GDPR principles. The data we acquire is maintained by us for a maximum 12 months upon which the license expires. The datasets only contain companies that are either LTD or LLP. We do not maintain data for nor approach sole traders or partnerships. The information that we receive typically provides the name of the entity, an identification number such as the Registered Office, the street address, the decision makers name and contact phone number and email Processing for direct marketing purposes is specifically mentioned in the GDPR;
- Carrying out a necessity test – this requires consideration of whether there is another way of achieving the purpose of processing, without having to use the personal data. It is unlikely that there would be another proportionate way of making direct marketing communications without using personal data; and
- Balancing our interest against the fundamental rights of the data subjects and whether the use of their personal data by Faseo could have a significant impact on their fundamental rights. In the context of b2b direct marketing, where communications relate to business services rather than the personal life of the individuals receiving the communications, we believe it is unlikely that the fundamental rights of such individuals would be
We understand that those communications need to be measured and unobtrusive.
GDPR requires us to carry out an assessment of (and to document) which lawful grounds for processing of personal data apply to our processing activities.
Our view is that it is reasonable to rely on Legitimate Interest as grounds for the processing of personal data for direct marketing purposes (1) given the very limited amount of personal data being processed; (2) the fact that it is being used solely for the purposes of marketing to the business for which the individual works and not the individual him/herself; and (3) that the individuals concerned are likely to be people within the organisation who would expect to be contacted for business communications.
If a subject individual object (opts-out) to Faseo storing and/or using his/her personal data, then the personal data is removed from the Faseo and mailing house database as soon as reasonably practicable, and that person will not be contacted again.
If Faseo are in receipt of application details as consented to by the data subject, then the information obtained is held and passed on to the Faseo lender panel on the grounds of the
individual’s consent, with Legitimate Interest becoming a secondary legal basis in such instances.
HOW IS PECR INVOLVED IN ALL OF THIS?
PECR rules relate to electronic marketing communications such as email and SMS. They are in addition to the requirements under the GDPR. Faseo do not use data for the purposes of marketing via SMS so the below relates only to email marketing.
- PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.
- ‘Individual subscribers’ include those working for unincorporated entities such as sole traders and
- The rules require that electronic mail for direct marketing purposes sent to individual subscribers must be based on a prior consent obtained from such individuals (“opt-in”)
- ‘Corporate subscribers’ consist of those working for companies and other incorporated organisations, such as
- PECR allows electronic direct marketing communications to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the
Faseo complies with all of the requirements of PECR.
This is a summary of Faseo’s position:
- There are multiple ways in which a business can comply with GDPR when processing personal data.
- The ICO acknowledges that consent may be hard for an organisation to achieve and therefore suggests considering Legitimate Interest as an alternative.
- Faseo uses Legitimate Interest as the legal basis to process personal data.
- Faseo sends thousands of targeted emails every month, purchased under license from reputable B2B data Data subjects can opt out easily and quickly, as is their right under the DPA/GDPR.
- Consent is not required to hold and process individual data for marketing communications via post and email.
- Consent is not required to utilise the emails of persons who are working for ‘corporate subscribers’ for marketing communications.
- Consent is required to utilise the emails of persons who are (or are working for) ‘individual subscribers’ for marketing communications.
- Where we speak to the individual and receive an opt-out response, the data is removed.
Utilisation of personal data by Faseo for its sales lead generation and management of its clients is based on the Legitimate Interest legal basis. Faseo do not provide data on applicants to lenders without prior consent and information provided by the client.
The security of your personal data is important to us. In addition to our policies, your personal data is protected by the Data Protection Act 1998 and the General Data Protection Regulation (“GDPR”). Faseo Limited is registered as a data controller with the Information Commissioners Office, Data Protection Number ZA207099. We may share information with third parties who provide a service to us, for the purposes outlined in this policy.
We strive to protect the confidentiality of information our users may provide to us. Our goal is to maintain your trust and confidence when handling personal information about you. Please remember that certain electronic communications such as email are not secure and should never contain protected information or other sensitive content.
Data Protection Principles
When collecting, holding or using data, we adhere to the following:
- Personal data should be processed fairly and lawfully;
- Personal data should be obtained only for the purpose specified;
- Data should be adequate, relevant and not excessive for the purposes required;
- Accurate and kept up-to-date;
- Data should not be kept for longer than is necessary for purpose;
- Data processed in accordance with the rights of data subjects under this act;
- Security: appropriate technical and organisational measures should be taken unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data;
- Personal data shall not be transferred outside the European Economic Areas unless that country or territory ensures an adequate level of data protection.
Our Website is designed for business users and is not directed at persons under the age of 18, and We do not collect or maintain information at our Web site from persons we know are under the age of 18.
What data do we obtain from you?
Personal Information collected through this site or via any other digital electronic medium only includes information voluntarily submitted to us by our users and may include email submissions and responses to electronic surveys or marketing campaigns. You are not required to submit any personal information to us to view the public content of this website.
Non-personal Information collected through this site includes information that a website sends to your computer while you are viewing this site to provide us with statistics regarding the frequency of visitors to our website and other anonymous information that helps us to better manage our site. None of your personal information will be received by or shared with third parties without your prior consent. Whatever the purpose may be, we will only collect information to the extent reasonably necessary to fulfil your requests and our legitimate business purposes and we will continually maintain physical, electronic and procedural safeguards that meet applicable law to protect the security of your information.
When you visit our website, you have the option of submitting your application information, to enable us to prequalify your request for onward transfer to one or more lenders from our contracted panel of loan providers. When you apply via our website we collect the following personal information: your full name, date of birth, e-mail address, mobile telephone number, residency status, loan purpose and business entity type and name. Your application information is stored on a database which is operated by an external service provider (dropbox.com, and in some cases provided to our mailing house). Information that you may subsequently provide to us, together with permissions for the lender to undertake appropriate credit references may be transferred to our lenders via their dedicated secure application portals. Adequate technical security measures are taken to ensure the security of such data.
When you contact us via our website we collect the following personal information for providing you with swift and accurate correspondence regarding any queries that you might have: your full name, e-mail and, the purpose of your query. We may collect more than one means of contact to enable us to deal with your query as efficiently as possible.
Furthermore, every time this website and its contents are accessed following an outbound email campaign from us, protocol files are created by ourselves or third parties containing access data.
Each protocol file may contain the following:
- The website from which you access our website
- Your IP address
- Date and time of access
- The http answer code
- The browser and operating system used
We may use the specified data to identify individuals for the purposes of providing a more tailored response and appropriate financial service.
This website may use Google Analytics, a web analytics service provided by Google Inc. (Google). Google analytics uses text files which are stored on your computer (“cookies”) to enable analysis of users’ website use. Information created and collected by the cookie regarding users’ use of this website will generally be transmitted to and stored on servers in the USA. Please note that IP anonymization is permanently activated on this website resulting in the deletion of the last eight characters of a user’s IP address. This shortening of a user’s IP address is carried out within the European Union or in another contracting member state of the European Economic Area. In exceptional circumstances, this process may be carried out in the USA.
Google uses the information gathered on this website on behalf of the website’s operator to analyse anonymised users’ usage of the website, to generate reports regarding anonymised users’ website activity, to create anonymous user profiles and web statistics and to provide further services on behalf of the website’s operator associated with the website and internet usage. The IP address transmitted by a user’s browser will not be combined with any other data. Further information on how Google uses, collects and processes data can be viewed via this link.
By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
Periodically, we may use re-marketing tracking cookies, including the Google Adwords tracking cookie. This means we will continue to show ads to you across the internet, specifically on the Google Content Network (CGN). As always, we respect your privacy and are not collecting any identifiable information using Google’s or any other third-party marketing system.
The third-party vendors, including Google, whose services we use will place cookies on web browsers to serve adverts based on past visits to our website. This allows us to make special offers and continue to market our services to those who have shown interest in our service.
More information about cookies and how our website works
A cookie is a text-only string of information that is passed to your computer’s hard disk through your web browser so that the website can remember who you are. Cookies cannot be used by themselves to identify you. A cookie will typically contain the name of the domain from which the cookie has come, the ‘lifetime’ of the cookie, and a value, usually a randomly generated unique number.
The data collected will not be used to determine your personal identity or to create a link to the pseudonym under which your profile is generated without your explicit permission.
Cookies Used on our Blog
WordPress (where we develop and manage our site) sets cookies so that you don’t have to fill in your name and email address every time you want to comment on our blog and so you can see comments you made that are awaiting moderation.
Social Media Plug-ins
This online feature may use Social Media plug-ins for the social networks Facebook (Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA), Twitter (Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA), YouTube (YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a subsidiary of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA) and Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, California 94025, USA, a subsidiary of Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA).
Social Media plug-ins are social network programs that are embedded on other companies’ websites. Embedding a Social Media plug-in causes personal and person-related data to be transmitted to the provider of the social media plug-in. Furthermore, if you are also logged on to a social network, an activated social media plug-in enables your activities to be assigned to your profile.
For data protection reasons, we have decided to initially block the social media plug-ins that are embedded on our website, unless otherwise revised and issued in a future Policy.
Information Use and Storage
Information that is pertinent to an application is received on a secure desktop computer which is under password control and assigned specifically to a member of staff, enabling transactional audit to be date stamped on every activity. Data files are managed and maintained under a Business Dropbox account and remotely stored to provide full disaster recovery should local equipment fail. Access to the dropbox facility is password and user restricted with a full audit of user and date stamp. Any papers that are received in the offices are then returned (if requested) or stored temporarily in a locked metal cabinet prior to being scanned (to the dropbox) and being destroyed.
Third Party Sites
While we make every effort to protect your privacy, we cannot guarantee that the measures we have taken will completely bar unauthorised access to your information. By using our site, you assume this risk.
When you contact us by telephone we will collect sufficient personal data to provide you with swift and accurate correspondence regarding any queries you may have. We collect more than one means of contact to enable us to deal with your query as efficiently as possible. This may include capturing application data as explained in the section about what data we obtain from you.
You have a right to access the personal data that is held about you.
Your personal data is protected by legal rights, which include your right to:
- Object to, or request a restriction of, our processing of your personal data (for example, you can request that we don’t use your personal data for purposes of direct marketing)
- Request that your personal data is erased or corrected
- Request access to your personal data
- Obtain and reuse certain personal data for your own purposes
For more information or to exercise your data protection rights, please contact us using the contact details above.
You also have a right to complain to the Information Commissioner’s Office, which is the UK regulator which upholds rights in relation to individual’s personal data.
If you wish to request a copy of any information that is held about you or ask us to make any changes necessary to ensure that it is accurate and kept up-to-date, please write to the below address, enclosing your postal details and a cheque for £10 payable to Faseo Limited as well as photographic ID for verification purposes.
Data Protection Officer
5 High Street,
Northamptonshire, NN10 8BW
Should you have any queries regarding the above policy, please email us at email@example.com
accessfunds is a trading name of Faseo Limited. Company Number: 05515322.
Registered Office: Carlton House, 5 High Street, Higham Ferrers, Northamptonshire, NN10 8BW
Authorised and regulated by the Financial Conduct Authority. Firm reference number: 766217.
Data Protection – ICO Registered ZA207099
©accessfunds.co.uk and Faseo Limited 2021
rev. pub 1st May 2021