General Data Protection Regulation 2016
GRENKE is committed to full compliance with the requirements of the EU General Data Protection Regulation. GRENKE will therefore follow procedures to ensure that all employees, partners or other servants or agents of GRENKE (collectively known as data users) who have access to any personal data held by on behalf of GRENKE, are fully aware of and abide by their duties under the General Data Protection Regulation.
GRENKE regards the lawful and appropriate treatment of personal information as very important to its successful operations and essential to maintaining confidence between GRENKE and those with whom it carries out business. We therefore collected and process data for the following lawful basis;
a. To fulfil contractual obligations
Data is processed in order to provide financial services contracts to our customers or in order to take measures at the request of you prior entering into a contract. The purpose of the data processing will be geared in the first instance to the product itself (e.g. leasing and factoring) and may encompass assessment, consultation and the execution of transactions. For further details of the purposes for which data is processed, please refer to the relevant contract documents and terms and conditions.
b. As part of balancing interests
If necessary, we will not only process your data for the actual fulfilment of the contract, but also to protect our own legitimate interests and those of third parties, especially:
For the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide Experian (Registered Office at The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ) and CoCredo Ltd (Registered Office at Missenden Abbey, London Road, Great Missenden, Buckinghamshire HP16 0BD) with data concerning the request and the applicant. Experian and Cocredo will make the data saved about you available to us through direct electronic mail provided that we have given convincing evidence that our interest in this is legitimate.
The credit agencies will process the data received and use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.
Furthermore, we will send personal data collected for the request for, execution and ending of this business relationship to Redwood Collections Ltd (Registered Office at Airport House, Purley Way, Croydon, Surrey CR0 OXZ) and Direct Collection Bailiffs Ltd (Registered Office at Direct House, Greenwood Drive, Manor Park, Horsham, West Sussex RH13 5AD) as well as data for behaviour not in compliance with the contract or for fraudulent behaviour to Lester Aldridge (Registered Office at 85 Gresham Street, London EC2V 7NQ) and Pdt Solicitors LLP (Registered Office at Premier House, 36-48 Queen Street, Horsham, West Sussex RH13 5AD).
For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agencies, please refer to the information provided about the respective agencies using the following links:
For CoCredo, go to http://www.cocredo.co.uk/
For Redwood Collections, go to www.redwoodcollections.com
For Direct Collections Bailiffs, go to www.dcbltd.com
For PDT Solicitors, go to www.pdt.co.uk
For Lester Aldridge, go to www.lesteraldridge.com
c. Based on your consent
If you have given us your consent to process personal data for certain purposes (e.g. marketing), it will be lawful to do this processing based on the consent you have given. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent received before GDPR comes into force. Withdrawal of the consent does not affect the legality of the data processed up until the withdrawal.
d. Based on statutory provisions or public interest
If we are required to meet various legal requirements (i.e. the provisions of the Banking Act 2009, Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the European Central Bank, the European Banking Authority, the Bank of England and Financial Supervisory Authority).
We collect personal data that we receive from individuals through our business relationship. These individuals may include current, past and prospective customers as well as suppliers and our GRENKE employees. We also – if required to provide our service – collect the personal data that we are permitted to obtain from publicly accessible sources (e.g. lists of debtors, land register, the register of companies and associations, the press, the internet) or data sent to us from our sales partners or other third parties (e.g. a commercial credit agency) with good authorised cause.
GRENKE will, through management and use of appropriate controls, monitoring and review; (i) collect personal data in the most efficient and effective way to deliver services, (ii) collect personal data for such purposes as are described as our lawful basis and (iii) ensure information collected is accurate.
The personal data of relevance is as follows:
Individuals must provide us with the personal data necessary for us to enter into and maintain a business relationship and to fulfil the requisite contractual obligations associated with this, or when law requires us to collect it. Without this data, we will usually not be able to enter into a contract.
More specifically, the Money Laundering Act requires us to verify an ID document before we enter into a business relationship, and to find out and record an individuals name, place and date of birth and address when doing so. Individuals have to notify us immediately of any changes occurring during our business relationship.
GRENKE acknowledges the distinction between personal data and special category data. Any data of this nature encountered will require specific consent in order for GRENKE to collect or process the information and take action on the situation present.
GRENKE will need to process and use information about individuals with whom it is in a business relationship in order to operate and carry out its business function. Reasons for processing data includes to check the creditworthiness, to confirm identity and age, to prevent fraud and money laundering, to fulfil requirements set by tax law, and to assess and manage risks. In addition;
a. Automated decision-making
To establish and maintain the business relationship, we do not use fully automated decision-making. If we use this procedure in individual cases, we will provide separate information about this, if required by law.
We automate the processing of data in some cases with the purpose to evaluate certain aspects of personally (profiling). We use profiling in the following cases (for example):
Unless indicated otherwise, we only process your data on our website in order to process your request or because of legitimate interests we have:
Any time you access a page or a file, generic data is saved automatically in a log file via this procedure. The data is saved for system-related and statistical purposes only, or as an indicator of criminal acts in certain exceptional cases.
We use this data to improve our websites and to present you with content reflecting your interests. No usage data is combined with personal data as part of this process. If you decide to send us your data, this data will recorded during the input process.
For security reasons, we will save your IP address. This can be retrieved if there is a legitimate interest for this.
We do not create a browser history. Data is not forwarded to third parties or otherwise evaluated unless there is a legal obligation to do so.
The following data set is stored from every processing request:
b. Contact us / Requests
If you contact us, using contact forms, we will save your data for the purposes of processing your request and for when further correspondence is necessary. All data is deleted after your request has been processed. This does not include data for which there is a legal requirement to keep the data.
We only use the data given to us during registration to gain access to our portal. An email address, Username and Password is collected during the registration process.
Cookies do not make it possible to access other files on your computer, or discover your email address.
Most browsers have settings that mean they accept cookies automatically. If the standard settings are saved for cookies in your browser, all processes will run unnoticed for you in the background. You can change these settings, however. You can adjust your browser so that you are informed when cookies are set and can make individual decisions about accepting them, or generally rule out cookies in certain cases. If you restrict cookies, some individual features of our website may be restricted too.
e. Range analysis using Piwik
We have a legitimate interest (i.e. an interest in the analysis, optimisation and cost-effective operation of our website) in the use of Piwik, open-source software designed to statistically evaluate user access.
f. Embedded YouTube videos
In line with our legitimate interests, we embed YouTube videos on our website; these videos are stored on www.youtube.com and can be viewed directly on our website.
If you visit the website, YouTube is notified that you have opened the relevant page of our website. This happens regardless of whether or not you have a YouTube account that you have logged into. If you are logged into Google, your data will be attributed to your account directly. If you do not want the data to be associated with your YouTube profile, you must log out before you click on the button. YouTube stores your data as a user profile and uses them for the purposes of marketing, market research and/or customising its website. In particular, your data is evaluated this way in order to provide personalised advertising and notify other users of the social network of your activity on our website. You are entitled to object to the creation of these user profiles; you must contact YouTube if you wish to exercise this right.
In order for visitors to be forwarded to the site with the corresponding national language, the "GeoIP2" service from the company MaxMind (http://www.maxmind.com/) is used. This service uses the IP address of the visitor to determine the country from which the site is being accessed. In so doing, there is no storage of the country classification for the respective IP. With regard to the handling of your personal data, please also refer to the data protection declaration of the company MaxMind, which you can access here.
i.Google Conversion Tracking
As an AdWords customer, we also use Google Conversion Tracking, an analysis service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). In this context, Google AdWords installs a cookie on your computer ("Conversion Cookie"), provided you arrived on our website through a Google advertisement. These cookies lose their validity after 30 days and are not used for personal identification. If you visit certain of our pages and the cookie has not yet expired, we and Google can see that someone has clicked on the advertisement and was thus forwarded to our site. Each AdWords customer receives a different cookie. Cookies therefore cannot be tracked through the websites of AdWords customers. The information obtained with the help of the Conversion Cookie serves to generate conversion statistics for AdWords customers who have chosen conversion tracking. Those AdWords customers have access to the total number of users who have clicked on their advertisements and were forwarded to a site with a conversion tracking tag. However, they receive no information allowing them to personally identify users. If you do not wish to participate in the tracking process, you can also prevent the installation of the cookies necessary for this – for instance by using a browser setting that generally deactivates the automatic installation of cookies. You can also deactivate cookies for conversion tracking by setting your browser so that cookies from the domain "googleadservices.com" are blocked.
On our website, you will find plugins for the social network LinkedIn / the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA ("LinkedIn"). You can identify the LinkedIn plugins through the corresponding logo or the "Recommend" button. Please note that, during a visit to our website, the plugin establishes a connection between your internet browser and the LinkedIn server. LinkedIn is thus informed that our website was visited by your IP address. If you click the LinkedIn "Recommend" button and are simultaneously logged into your LinkedIn account, you have the option of linking content from our website to your LinkedIn profile. In so doing, you are thereby enabling LinkedIn to associate your visit to our website with you and your user account. You should be aware that we have no knowledge of the content of the data transmitted or its use by LinkedIn.
You can obtain additional information regarding details of data collection, your legal options and any settings options from LinkedIn. This information can be found here
Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield.
The companies who need access to your data so that we meet our contractual and legal requirements will receive access to your data. These companies fall into the categories of credit-lending services, IT services, logistics, printing services, telecommunications, advice and consultation, plus sales and marketing.
We are only permitted to forward information if statutory provisions demand this, we can prove there would be a legitimate interest or we have consent for this or are specifically authorised. Potential recipients of personal data under these conditions include:
Data will be sent to locations in states outside of the European Union ('third countries') if:
We will process and store personal data for as long as is necessary to fulfil our contractual and legal obligations. Please note that our business relationship is a continuing obligation that is set up for years.
If the data is no longer required to fulfil contractual or legal obligations, it will be deleted periodically unless temporary further processing is required for the following purposes:
GRENKE are responsible for data processing and safeguarding. We have appointed a Data Protection Officer (DPO) which can be contacted via post at GRENKE, FAO The Data Protection Officer, 2 London Square, Cross Lanes Guildford, Surrey, GU1 1UN
Any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal will be reported within 72 hours of its discovery to the DPO who will ensure a full investigation takes place and notify those involved, where the breach is likely to result in a high risk to the rights and freedoms of the individual involved.
Each individual we deal with has a right;
Each individual also has a right to complain to the Information Commissioner’s Office https://ico.org.uk/concerns.
You may withdraw your consent to your personal data being processed by us at any time. This also applies to the withdrawal of declarations of consent received before GDPR comes into force. Please note that this withdrawal will apply going forward. It will not apply to any data processed before the withdrawal.
You have the right, at any time, to opt out of any processing of your personal data taking for reasons relating to your own particular situation.
If you unsubscribe, we will not process your personal data anymore, unless we are able to prove that there are legitimate compelling reasons for the processing that prevail over your interests, rights and freedoms, or the purpose of the processing is to assert, exercise or defend legal claims.
In individual cases, we will process your personal data for direct marketing and profiling connected to marketing purposes. You have the right to opt out at any time; after which we will no longer process your personal data for these purposes.
The unsubscribe option will be available to you on every communication or you can contact firstname.lastname@example.org directly.
To make a data request, individuals must contact GRENKE via telephone T +44 1483 401740, email email@example.com or via post GRENKE, FAO The Data Protection Officer, 2 London Square, Cross Lanes Guildford, Surrey, GU1 1UN.
Information will be provided as soon as possible (1 month at the latest). This may be extended if the request is complex or numerous, in which GRENKE will notify the individual of this extension.
GRENKE will provide a description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restrictions and objections plus the source of the data.
Any rectifications will be carried out without undue delay and investigations will be taken into how the error occurred.