AFunding Privacy Notice

Partner in Payroll Limited (company number 16817657)

This document sets out our policy on the management of personal information which we have about individuals.  Those individuals include clients to whom we may provide or may have provided a facility, guarantors of both individual and company clients and individuals who may provide a guarantee and individuals who are or become customers of our clients.

1. Our privacy assurance to you

Your privacy has always been important to us.  As our client, or someone in a business relationship with our client, we respect your right to be aware of who has information about you, what they are doing with it and why, and who else they are sharing it with.  We have adopted a privacy compliance culture that cements this relationship with you.  Its foundation is the Data Protection Act 2018 and the UK GDPR (as that term is defined the Data Protection Act 2018) – together the Data Protection Legislation.

2. Overview

This privacy notice explains how we manage personal information.  In particular it explains, in relation to that personal information:

• the kinds of personal information we collect and hold;
• how we collect the personal information;
• the purposes for which we collect, hold, use and disclose the personal information;
• the lawful basis we rely upon when undertaking that processing;
• whether we are likely to transfer the personal information to third parties outside of the UK or European Economic Area (EEA);
• what rights an individual has in respect of the personal information about that individual that we hold; and
• how an individual may complain to us, how we may deal with the complaint, and how an individual may complain to the Information Commissioners Office if they unsatisfied with how we have dealt with their complaint.

3. Categories of persons whose Personal information we collect and process

We collect and process personal information from individuals who are associates, contractors, debtors, or suppliers of our clients, and guarantors.

4. The kinds of personal information we collect and process

We may collect and hold the following types of information about individuals who fall into the above categories:

• identification information, such as the individual’s name, address and date of birth;
• information relating to debts owing to our clients;
• a statement that we have made an information request, that is we have sought information about the individual from a credit reporting body in connection with a credit guarantee purpose or for a securitisation related purpose;
• the type of commercial credit and the amount of credit sought in an application that has been made in connection with which we have made an information request;
• court proceedings information about the individual, this is information about a judgment of a court in the United Kingdom against the individual in proceedings (other than criminal proceedings) that relate to any credit that has been provided; and
• personal insolvency information about the individual, this is information that is entered or recorded in the Individual Insolvency Register maintained by the Insolvency Services, including details of bankruptcy orders, individual voluntary arrangements (IVAs), debt relief orders (DROs), or any other formal insolvency proceedings under the Insolvency Act 1986 or related legislation.

We obtain credit reporting information about individuals who are guarantors from credit reporting bodies.  Credit reporting information includes:

• the credit information outlined above but which relates to the individual’s dealings with other credit providers;
• consumer credit liability information, default information, payment information, new arrangement information and publicly available information concerning consumer credit which the individual has obtained from other credit providers; and
• credit worthiness information about the individual that credit reporting bodies derive from the above information.  This could include credit scores, risk ratings and other evaluations.

We only obtain credit reporting information from credit reporting bodies to the extent we are entitled to obtain it under the Data Protection Legislation.  We might, for example, need to obtain the individual’s prior authorisation. We may disclose credit information (such as identification information) about an individual to a credit reporting body.  The credit reporting body may include that information in the reports it provides to other credit providers. We disclose credit information to the following credit reporting body: Name: Equifax  Website: www.equivax.co.uk

That credit reporting body is required to have a policy which explains how it will manage credit-related personal information.  If an individual would like to read the policy of the credit reporting body he or she should visit the credit reporting body’s website and follow the “Privacy Hub” links, or the individual can contact the credit reporting body direct for further information. Our policy about the management of credit related personal information is contained in this privacy notice but if an individual would like to receive it as a separate document he or she can request a copy by contacting our Data Protection Officer at the address specified in paragraph 7 below.

We will only collect special category personal information about an individual with the individual’s consent or when permissible under the law of the United Kingdom.

5. How we collect personal information

We collect personal information, other than credit eligibility information, about individuals in a variety of ways.  

We will generally collect the information from the individual or from persons acting on the individual’s behalf.  When it is possible and practical we will collect the information direct from the individual.  

When it is not practical or reasonable to do so we will collect the information from a third party.  The third party could be our client, an authorised representative (such as an accountant or lawyer), another financial institution, a referee, an employer or a government body.  

Credit guarantee eligibility information is obtained from a credit reporting body.

6. The purposes for which we collect and process personal information

We collect and process personal information and credit eligibility information on individuals for the following purposes and relying on the following lawful bases.  Those purposes include:

• if the individual is a guarantor, to determine whether we should accept a guarantee from the individual and, if the guarantee is given, to deal with or enforce our rights under the guarantee and any security which may be given to secure it. Our lawful basis for this for our legitimate interests where such legitimate interests are not outweighed by the individuals fundamental rights (Legitimate Interests);
• if the individual is a debtor, to assess and verify the debt which the client sells to us or in which the client gives us a security interest, to collect the debt and to enforce the debt and any security which may be given to secure payment of the debt. Our lawful basis for this is our Legitimate Interests;
• if the individual is an associate of our client, to assist us evaluating, processing, and administering an application for facilities. Our lawful basis for this is our Legitimate Interests;
• if the individual is an associate of the debtor, to assist us to verify the debt owed by the debtor and to collect and enforce the debt.  For example, we may record the name and office phone number of a person in the debtor’s accounts payable department and telephone that person to verify the debt. Our lawful basis for this is our Legitimate Interests;
• to assist in the management and enforcement of the facilities we provide, for data analysis and internal management. Our lawful basis for this is our Legitimate Interests;
• to provide information to credit reporting bodies to the extent this is permitted by the Data Protection Legislation. Our lawful basis for this is our Legitimate Interests;
• to undertake securitisation activities, raise funding, assign debts and other rights, enter into insurance arrangements (for example insurance policies for debts) and provide information to and obtain information from insurers (including under policies which are taken out by us, which are assigned to us or under which we are the loss payee). Our lawful basis for this is our Legitimate Interests;
• to deal with complaints and legal proceedings. Our lawful bases for this are Contract Performance and our Legitimate Interests;
• to meet our legal and regulatory requirements. Our Lawful basis for this is to comply with a legal obligation to which we are subject; and
• to assist other credit providers by giving personal information to them in accordance with an authorisation which the individual has provided to them or us. Our lawful basis for this is our or a third party’s Legitimate Interests.

Individuals will receive marketing communications from us if they have requested information from us or.

We will get express consent before we share any personal information with any third party for their own direct marketing purposes.

Individuals can ask us to stop sending marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us at the details set out below.

If an individual opts out of receiving marketing communications, they will still receive service-related communications that are essential for administrative or customer service purposes.

7. How we protect the personal information which we collect and process

We take all reasonable steps to ensure that an individual’s personal information which we hold is protected from misuse, interference or loss and from unauthorised access, modification or disclosure. We do this by having physical, electronic and procedural safeguards which protect the personal information we hold.  For example, the personal information is stored in secure office premises or in secure archiving facilities and logins, passwords and multi-factor authentication are required to access electronic databases.  Our staff are required to maintain the confidentiality of personal information and access to personal information is restricted to persons who require access to perform their duties. We regularly review our security policies and procedures and train staff in respect of their personal data and security obligations to ensure your data is safe.

8. Disclosure of personal information to third parties

To provide our facilities in the most cost effective and efficient way we may utilise the services of others and we may share personal information with those parties. The parties we currently share personal information with is set out below, this list is subject to change via this privacy notice and it is recommended that you check this privacy notice regularly for updates.

• APositive Pty Ltd (Australian company number ACN 162 372 741).
• VA Platinum Pty Ltd (Philippines company number ABN 37 150 301 447) indirectly as a sub-processor of APositive.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use personal information in the same way as set out in this privacy notice.
  

We require all third parties to respect the security of personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions. Our third-party service providers are bound by contractual obligations to protect your personal data.

9. International Transfers

We share your personal with another company in our group, APositive Pty Ltd (see above) and they share your personal information with their sub processor VA Platinum Pty Ltd (see also above). This will involve transferring personal information outside the UK to Australia and the Philippines.

Whenever we transfer personal information out of the UK to countries which have laws that do not provide the same level of data protection as the UK law, we always ensure that a similar degree of protection is afforded to it using specific standard contractual terms approved for use in the UK which give the transferred personal information the same protection as it has in the UK, namely the International Data Transfer Agreement. To obtain a copy of these contractual safeguards, please contact us at the details set out below.

10. Data Retention

We will only retain personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of personal information, the purposes for which we process personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information for  up to 6 years following the termination or expiry of our client’s facility for tax purposes.

11. Individuals legal rights

Individuals have a number of rights under data protection laws in relation to their personal information, these are the right to:

• Request access to their personal information (commonly known as a subject access request). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
• Request correction of the personal information that we hold. This enables them to have any incomplete or inaccurate data we hold corrected, though we may need to verify the accuracy of the new data provided to us.
• Request erasure of their personal information in certain circumstances. This enables them to ask us to delete or remove personal information where there is no good reason for us continuing to process it. They also have the right to ask us to delete or remove personal information where they have successfully exercised their right to object to processing (see below), where we may have processed information unlawfully or where we are required to erase their personal information to comply with local law. Note, however, that we may not always be able to comply with the request of erasure for specific legal reasons which will be notified, if applicable, at the time of the request.
• Object to processing of personal information where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of their data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process the information which override the right to object.
• They also have the absolute right to object any time to the processing of your personal information for direct marketing purposes (see above).
• Request the transfer of their personal information to them or to a third party. We will provide to them, or a third party they have chosen, the personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which they initially provided consent for us to use or where we used the information to perform a contract.
• Request restriction of processing of their personal information. This enables them to ask us to suspend the processing of their personal information in one of the following scenarios:
  • to establish the information's accuracy;
  • Where our use of the information is unlawful but they do not want us to erase it;
  • Where they need us to hold the information even if we no longer require it as they need it to establish, exercise or defend legal claims; or
  • They have objected to our use of the information but we need to verify whether we have overriding legitimate grounds to use it.

If you wish to exercise any of the rights set out above, please contact us at the details below.

No fee is payable is payable to access personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with a request in these circumstances.

We may need to request specific information to help us confirm the requestors’ identity and ensure their right to access the personal information (or to exercise any of their other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also ask for further information in relation to a request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if a request is particularly complex or a number of requests have been made.

12. How to contact us

An individual may contact our data protection officer at mark.wood@apositive.com.au  

13. How an individual may complain and how we will deal with the complaint

Individuals have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint. Complaints can be made using the contact details above.

14. Definitions

In this privacy notice: “associate” means a person who is or may become an officer or employee of the client, the guarantor or debtor; “client” means a party to whom we have provided a factoring, invoice discounting or other facility including the provision of commercial credit and includes a person who has applied for, or may apply for, a facility of that type; “debtor” means a person who owes, or may owe, an account (also known as a book debt) which the client has sold to us or may sell to us or in which the client has granted, or may grant, a security interest to us; “guarantor” means a person who has guaranteed, or may guarantee, the obligations which a client has or may have to us; and “we”, “us” and “our” means Partner in Payroll Limited (company number 16817657). Words which are defined in the Data Protection Legislation have the same meaning in this privacy notice.