If our customer is a corporate entity, we may collect personal data about you from our customer (for example, we may collect information about directors and other relevant stakeholders of the customer). References in this policy to “you” is a reference to the individual whose personal data we have collected, whether directly from you as the individual, or from our customer who is a corporate entity.
We respect your privacy and we will only use your information in the way we describe in this policy. When using your information, we aim to be fair and transparent and to follow our obligations under the Data Protection Act 2018 and the General Data Protection Regulation.
INFORMATION WE COLLECT ABOUT YOU
We collect information about you at various stages during our relationship with you, including when you or our corporate customer make an application to us, when we enter into an agreement with you/ our corporate customer, during the course of providing our services to you/ our corporate customer and on other occasions when you contact us or when we ask for information.
Personal information you give to us: The personal information that we collect about you is as follows:
- date of birth
- residential address and address history
- contact details such as email address and telephone numbers
- financial information, including bank statements
- employment details
- information contained in identification documents, including passport, driving licence and household bills
- information provided by you when filling in a form on our website
Personal information we receive from other sources: We obtain certain personal information about you from other sources, as follows:
- information we receive following enquiries we make with credit reference and fraud prevention agencies – please see ‘Use by credit reference and fraud prevention agencies’ below for further information;
- vehicle telematics data – our vehicles are fitted with telematics devices that collect data on the vehicle and driving behaviour. The devices collect data on the location of the vehicle, current speed, duration of journey and direction of driving; this data is used to build up a profile of how, when and where the vehicle is driven. The device also collects data on the vehicle’s battery health (including disconnect alerts), g-force data and vehicle servicing/mileage data. We only process this data if we receive an alert as explained under ‘Use of your information’ below;
- to help make our emails more interesting and relevant, we often receive a confirmation when you open an email from us (if your computer or device supports such capabilities).
If you fail to provide us with any mandatory information that we request from you when you apply to us, we will not be able to proceed with the credit reference and fraud prevention checks described below and, subsequently, we will not be able to consider your application nor propose an offer to you.
USE OF YOUR INFORMATION
The purposes for which we use your information and the legal bases under data protection laws on which we rely to do this are as follows (as relevant):
- Our legitimate interests or that of a third party. Our legitimate interests are:
- to assess your application and any lending risks, this includes analysing the information we receive from credit reference agencies to assess and understand your payment performance and to allocate a score based on that assessment;
- to make decisions on credit, hire arrangements and other services;
- to ensure that the vehicle is being used in accordance with your hire agreement and for management, safety and maintenance of the vehicle. We receive automatic alerts from the telematics device fitted to the vehicle: (i) if it triggers a geo-fence at prohibited locations, including country ports and race circuits; (ii) if the vehicle’s battery is flat or nearly flat, or if it is disconnected; (iii) if the vehicle is affected by a certain level of g-force (indicative of the vehicle’s involvement in a road traffic collision); and (iv) when the vehicle is due for its MOT/servicing. We may contact you if we receive any of these alerts so that we can protect our vehicles and for your safety interests;
- to prevent fraud and money laundering, and to verify your identity, in order to protect our business and to comply with laws that apply to us;
- to carry out marketing activities (other than where we rely on your consent) e.g. to tailor marketing communications or send targeted marketing messages via social media and other third party platforms;
- for management and audit of our business operations including statistical analysis and accounting;
- to enhance and personalise your customer experience by analysing patterns and customer behaviours, including contacting you to ask you about your experiences (we may engage a market research company to contact you on our behalf);
- to carry out statistical analysis to help with decisions about credit and account management;
- to recover debt and trace your whereabouts and/or the whereabouts of the vehicle hired to you, including by using telematics tracking data to help us locate the vehicle;
- to monitor communications between us (calls, letters, emails and texts) to prevent and detect crime, to protect the security of our communications, systems and procedures, and for quality control and training purposes; and
- for network and information security in order for us to take steps to protect your information against loss, damage, theft or unauthorised access and for the purposes of backup and problem solving and in order to ensure that you are not misusing any of the services provided to you.
- For compliance with a legal obligation. This includes when you exercise your legal rights under data protection law, to verify your identity, for the establishment and defence of our legal rights, for activities relating to the prevention, detection and investigation of crime, to conduct credit, fraud prevention and anti-money laundering checks and for compliance with our legal and regulatory responsibilities. This may also include processing special categories of data about you, for example for our compliance with our legal obligations relating to vulnerable people.
- Consent. Where we have your consent to use it for direct marketing communications (by us and/or any third parties referred to in the relevant consent request). You can withdraw your consent to marketing at any time by following the unsubscribe instructions in the relevant communication.
- Vital interest. We may use your information to contact you if there are any urgent safety or product recall notices to communicate to you or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you.
As part of our processing of your personal information, we may take decisions by automated means.
Your information will be used to assess your credit risk using an automated decision-making technique called ‘credit scoring’. Various factors help us to assess the risk; a score is given to each factor and a total credit score obtained, which will be assessed against a confidential pre-set pass score. [Your credit risk is not determined solely from an automated decision, and we take other factors into account (such as affordability, savings, default history and the accuracy of the information you have provided to us). You may contest a decision made about you by automated means, please see ‘Your rights’ below for more information.
In regard to fraud prevention checks, you may automatically be considered to pose a fraud or money laundering risk if our processing reveals your behaviour to be:
- consistent with that of known fraudsters or money launderers;
- inconsistent with your previous submissions; or
- you appear to have deliberately hidden your true identity.
USE BY CREDIT REFERENCE AND FRAUD PREVENTION AGENCIES
In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). We may carry out further credit checks on you when you exchange a vehicle.
To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- assess your creditworthiness and whether you can afford to take the product;
- verify the accuracy of the data you have provided to us;
- prevent criminal activity, fraud and money laundering;
- manage your account(s);
- trace and recover debts; and
- ensure any offers provided to you are appropriate to your circumstances.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at http://www.experian.co.uk/crain/index.html. CRAIN is also accessible from each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN document: Callcredit https://www.callcredit.co.uk/crain; Equifax https://www.equifax.co.uk/crain.html; Experian http://www.experian.co.uk/crain/index.html.
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process your information. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Please telephone us on 0800 001 6666 if you would like details of the credit reference and fraud prevention agencies from whom we obtain and to whom we pass information about you. You have a legal right to these details.
USE BY THIRD PARTIES
We disclose your information to the following third parties:
- The owner of the vehicle hired to you – this will be one of our group companies and will be the company in which you have/ our corporate customer has entered into the hire agreement with.
- Credit reference agencies and fraud prevention agencies. Please see ‘Use by credit reference and fraud prevention agencies’ above for further information about these agencies and what they do.
- When you ask us to, your insurer in connection with your insurance policy and any claim.
- Third party suppliers engaged by us to undertake certain services, including debt collecting agencies to recover monies owed to us, telematics service providers, vehicle transport service providers, vehicle recovery services and fine administration. These third parties will also be controllers of your information and are solely responsible for protecting your personal data and processing it in line with data protection laws.
- Third parties acting on our behalf, such as back-up and server hosting providers, IT software and maintenance providers and their agents and third parties that provide customer support services, claims handling services, income verification services, affordability checks, communication fulfilment services and market research agencies.
- Law enforcement agencies in order to detect, investigate and prevent crime (we or any fraud prevention agency may pass your information to law enforcement agencies).
- Courts in the United Kingdom or abroad as necessary to comply with a legal requirement, for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.
- Any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event, including where we transfer your agreement to a third party.
- Any third party to whom we sell your debt. If we do this, you will be notified and that third party will become the data controller of your information.
- Our professional advisors, auditors and regulators as necessary.
WHERE WE STORE YOUR INFORMATION/ TRANSFERS TO THIRD COUNTRIES
We store your information on servers located in the United Kingdom.
The third parties listed under ‘Use by third parties’ may be located outside of the UK or the EEA or they may transfer your information outside of the UK or EEA. Those countries may not have the same standards of data protection and privacy laws as in the UK. Whenever we transfer your information outside of the UK, we ensure that your personal data is protected to the standard required under applicable data protection laws, including imposing contractual obligations on the recipients of your information or requiring the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. Any third parties transferring your information outside of the UK or EEA must also have in place appropriate safeguards as required under applicable data protection laws.
RETENTION OF YOUR INFORMATION
If we decline your application or if we accept your application but you do not/ the corporate customer does not proceed with the vehicle hire, we keep your information for 12 months or as long as necessary to deal with any queries you may have and/or to comply with our legal obligations. If your application is accepted and you proceed, we hold your information for 7 years from the date at which your agreement ends (or upon full and final payment to us, whichever occurs last) or as long as necessary thereafter to deal with any queries you may have or to comply with our legal obligations.
We retain telematics data for 6 months or until the vehicle no longer has a telematics device, whichever is sooner.
Credit reference agencies will retain the account information we give to them for 6 years after your account is closed (please see ‘Use by credit reference and fraud prevention agencies’ for more information about the information that we give to them).
Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information can be held for up to 6 years.
We may hold your information for a longer or shorter period from that described above where:
- the law requires us to hold your personal information for a longer period, or delete it sooner;
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law; and
- in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.
PROTECTING YOUR PRIVACY
We have tried to create a secure and reliable website for our users. However, whilst we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website and any transmission is at your own risk. Once we have received your personal information, we put in place reasonable and appropriate controls to ensure that it remains secure against accidental or unlawful destruction, loss, alteration, or unauthorised access.
Our website may provide links and banner advertisements to third party sites. Please note that we are not responsible for, and have no control over, information that is submitted to or collected by these third parties. Since we do not control those websites, you are responsible for reviewing the privacy policies of these third party sites.
You have a number of rights in relation to your personal information under data protection laws. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month after we have received this information or, where this is not required, after we have received your request.
If you would like to exercise any of your rights, please contact us using the details below under ‘Contact us’.
Your rights are as follows:
- Accessing your personal information. You have the right to ask for a copy of the information that we hold about you. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
- Correcting and updating your personal information. The accuracy of your information is important to us. If you change any of your details, or you discover that any of the other information we hold about you is inaccurate or out of date, please let us know. We encourage you to keep us up to date in changes in your information to keep it safe and to keep your credit file up to date and consistent as it could affect other lender’s assessments of any applications you make.
- Withdrawing your consent. Where we rely on your consent as the legal basis for processing your personal information, as set out under ‘Use of your information’, you may withdraw your consent at any time. If you would like to opt out of direct marketing from us, please follow the unsubscribe instructions in the relevant marketing communication. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
- Objecting to our use of your personal information. Where we rely on our legitimate interests as the legal basis for processing your personal information for any purposes, as set out under ‘Use of your information’, you may object to us using your personal information for these purposes. Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data for our legitimate interests. You may object to us using your personal information for direct marketing purposes and we will automatically comply with your request. If you would like to do so, please use our unsubscribe tool, if applicable.
- Objecting to automated decisions made about you. You may contest a decision made about you based on automated processing.
- Erasing your personal information or restricting its processing. In certain circumstances, you may ask for your personal information to be removed from our systems. Provided we do not have any continuing lawful reason to continue processing or holding your personal information, we will make reasonable efforts to comply with your request. You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. We may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
- Transferring your personal information in a structured data file. Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with a contract with have with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.
- You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
PROTECTING YOUR INTERESTS
You have the right to complain to the Information Commissioner’s Office (“ICO”) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details.
By email: firstname.lastname@example.org, with the subject heading ‘Data protection’
By post: Data Protection Contact, XL Limited, Bozon Hall, Wash Road, Kirton, PE20 1QJ
By phone: 0800 001 6666
Companies within the XL Group:
- XLGH Limited, registered number: 10334308, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XL Limited, registered number: 05974549, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XLMAC Limited, registered number: 11679391, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XL CST Limited, registered number: 11191633, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XLCH Limited, registered number: 10530700, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XLUF Limited, registered number: 10449686, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XLHW Limited, registered number: 10336070, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ
- XLCSF Limited, registered number: 10336440, registered address: Bozon Hall Wash Road, Kirton, Boston, United Kingdom, PE20 1QJ