Data Protection Notice

General Data Protection Regulation 2016 


GRENKE is committed to full compliance with the requirements of the EU General Data Protection Regulation. GRENKE will therefore follow procedures to ensure that all employees, partners or other servants or agents of GRENKE (collectively known as data users) who have access to any personal data held by on behalf of GRENKE, are fully aware of and abide by their duties under the General Data Protection Regulation.



GRENKE regards the lawful and appropriate treatment of personal information as very important to its successful operations and essential to maintaining confidence between GRENKE and those with whom it carries out business. We therefore collected and process data for the following lawful basis;


a. To fulfil contractual obligations

Data is processed in order to provide financial services contracts to our customers or in order to take measures at the request of you prior entering into a contract. The purpose of the data processing will be geared in the first instance to the product itself (e.g. leasing and factoring) and may encompass assessment, consultation and the execution of transactions. For further details of the purposes for which data is processed, please refer to the relevant contract documents and terms and conditions.


b. As part of balancing interests
If necessary, we will not only process your data for the actual fulfilment of the contract, but also to protect our own legitimate interests and those of third parties, especially:


  • Consultation and data sharing to determine credit and default risks


For the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide Experian (Registered Office at The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ) and CoCredo Ltd (Registered Office at Missenden Abbey, London Road, Great Missenden, Buckinghamshire HP16 0BD)  with data concerning the request and the applicant. Experian and Cocredo will make the data saved about you available to us through direct electronic mail  provided that we have given convincing evidence that our interest in this is legitimate.


The credit agencies will process the data received and use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.


Furthermore, we will send personal data collected for the request for, execution and ending of this business relationship to Redwood Collections Ltd (Registered Office at Airport House, Purley Way, Croydon, Surrey CR0 OXZ) and Direct Collection Bailiffs Ltd (Registered Office at Direct House, Greenwood Drive, Manor Park, Horsham, West Sussex RH13 5AD) as well as data for behaviour not in compliance with the contract or for fraudulent behaviour to Lester Aldridge (Registered Office at 85 Gresham Street, London EC2V 7NQ) and  Pdt Solicitors LLP (Registered Office at Premier House, 36-48 Queen Street, Horsham, West Sussex RH13 5AD).

For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agencies, please refer to the information provided about the respective agencies using the following links:


For CoCredo, go to

For Redwood Collections, go to

For Direct Collections Bailiffs, go to

For PDT Solicitors, go to

For Lester Aldridge, go to


  • Checking business needs for the purposes of direct sales approaches and marketing opportunities
  • Assertion of legal claims and defence during legal disputes
  • Guaranteeing IT security and safeguarding IT operations at our company
  • Prevention and clarification of criminal acts
  • Building and plant safety measures (e.g. access control)
  • Measures to guarantee domestic authority
  • Business management measures and measures to develop products and services


c. Based on your consent
If you have given us your consent to process personal data for certain purposes (e.g. marketing), it will be lawful to do this processing based on the consent you have given. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent received before GDPR comes into force. Withdrawal of the consent does not affect the legality of the data processed up until the withdrawal.


d. Based on statutory provisions or public interest

If we are required to meet various legal requirements (i.e. the provisions of the  Banking Act 2009, Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the European Central Bank, the European Banking Authority, the Bank of England and  Financial Supervisory Authority).



We collect personal data that we receive from individuals through our business relationship. These individuals may include current, past and prospective customers as well as suppliers and our GRENKE employees.  We also – if required to provide our service – collect the personal data that we are permitted to obtain from publicly accessible sources (e.g. lists of debtors, land register, the register of companies and associations, the press, the internet) or data sent to us from our sales partners or other third parties (e.g. a commercial credit agency) with good authorised cause.


GRENKE will, through management and use of appropriate controls, monitoring and review; (i) collect personal data in the most efficient and effective way to deliver services, (ii) collect personal data for such purposes as are described as our lawful basis and (iii) ensure information collected is accurate.


The personal data of relevance is as follows:


  • Personal details (name, address, date and place of birth)
  • Contact details (telephone number, email address)
  • Authentication data (e.g. specimen signature)
  • Order details (e.g. payment order)
  • Data collected to fulfil our contractual obligations (e.g. sales data from payment transactions)
  • Information about their financial situation (e.g. credit information, scoring/rating data, origin of assets)
  • Sales data (including advertising scores), documentation data (e.g. minutes of consultation)
  • Factoring (not leasing) requires the name and address of the bank, account number and sort code into which payments can be made on receivables.


Individuals must provide us with the personal data necessary for us to enter into and maintain a business relationship and to fulfil the requisite contractual obligations associated with this, or when law requires us to collect it. Without this data, we will usually not be able to enter into a contract.

More specifically, the Money Laundering Act requires us to verify an ID document before we enter into a business relationship, and to find out and record an individuals name, place and date of birth and address when doing so. Individuals have to notify us immediately of any changes occurring during our business relationship.



GRENKE acknowledges the distinction between personal data and special category data. Any data of this nature encountered will require specific consent in order for GRENKE to collect or process the information and take action on the situation present.



GRENKE will need to process and use information about individuals with whom it is in a business relationship  in order to operate and carry out its business function. Reasons for processing data includes to check the creditworthiness, to confirm identity and age, to prevent fraud and money laundering, to fulfil requirements set by tax law, and to assess and manage risks. In addition;


a. Automated decision-making

To establish and maintain the business relationship, we do not use fully automated decision-making. If we use this procedure in individual cases, we will provide separate information about this, if required by law.


b. Profiling
We automate the processing of data in some cases with the purpose to evaluate certain aspects of personally (profiling). We use profiling in the following cases (for example):


  • Due to legal and regulatory requirements, we are duty-bound to fight money laundering, the funding of terrorism and criminal acts putting our assets at risk. Data evaluation (including during payment transactions) is also carried out. These measures have also been put in place to protect you.
  • We use scoring when we are assessing your creditworthiness. This process calculates the probability of a customer meeting their payment obligations in accordance with the contract. This calculation will factor in earning capacity, outgoings, existing liabilities, employment, employer, length of service, experience from previous business relationships, repayment of previous loans, as well as information from credit agencies. Scoring is based on an accredited mathematical statistical procedure that has been tried and tested. The score values calculated help us to make decisions on product sales and are factored into routine risk management procedures.
  • We use evaluation tools to provide you with targeted information and advice about products. These make it possible to communicate in a way that meets your needs.



Unless indicated otherwise, we only process your data on our website in order to process your request or because of legitimate interests we have:


a.Usage data
Any time you access a page or a file, generic data is saved automatically in a log file via this procedure. The data is saved for system-related and statistical purposes only, or as an indicator of criminal acts in certain exceptional cases.

We use this  data to improve our websites and to present you with content reflecting your interests. No usage data is combined with personal data as part of this process. If you decide to send us your data, this data will recorded during the input process.

For security reasons, we will save your IP address. This can be retrieved if there is a legitimate interest for this.

We do not create a browser history. Data is not forwarded to third parties or otherwise evaluated unless there is a legal obligation to do so.


The following data set is stored from every processing request:


  • The end device used
  • The name of the file accessed
  • The date and time of the request
  • The time zone
  • The amount of data transmitted
  • Notification of whether the request was successful
  • Description of the type of web browser used
  • The operating system used
  • The page visited before
  • The provider
  • The user’s IP address


b. Contact us / Requests
If you contact us, using contact forms, we will save your data for the purposes of processing your request and for when further correspondence is necessary. All data is deleted after your request has been processed. This does not include data for which there is a legal requirement to keep the data.


c. Registration
We only use the data given to us during registration to gain access to our portal. An email address, Username and Password is collected during the registration process.


d. Use of Cookies
To make visiting our websites an appealing experience and to make it possible to use certain features, we use cookies on different pages. Cookies are small text files that are stored on your end device. Some of the cookies that we use are deleted again at the end of the browser session, i.e. after you close your browser (session cookies). Other cookies remain on your end device and enable us or our partner companies to recognise your browser again the next time you visit (persistent cookies).

Cookies do not make it possible to access other files on your computer, or discover your email address.


Most browsers have settings that mean they accept cookies automatically. If the standard settings are saved for cookies in your browser, all processes will run unnoticed for you in the background. You can change these settings, however. You can adjust your browser so that you are informed when cookies are set and can make individual decisions about accepting them, or generally rule out cookies in certain cases. If you restrict cookies, some individual features of our website may be restricted too.


e. Range analysis using Piwik
We have a legitimate interest (i.e. an interest in the analysis, optimisation and cost-effective operation of our website) in the use of Piwik, open-source software designed to statistically evaluate user access.

Your IP address is shortened before it is saved. Piwik uses cookies that are saved on the users' computers and makes it possible to analyse use of the  online service by the users. Pseudonymous user profiles may be created for the users during this. The information generated by the cookie about your use of this online service is stored on our server and not forwarded to third parties. You will be provided to opportunity to opt out of this process.



f. Embedded YouTube videos
In line with our legitimate interests, we embed YouTube videos on our website; these videos are stored on and can be viewed directly on our website.


If you visit the website, YouTube is notified that you have opened the relevant page of our website. This happens regardless of whether or not you have a YouTube account that you have logged into. If you are logged into Google, your data will be attributed to your account directly. If you do not want the data to be associated with your YouTube profile, you must log out before you click on the button. YouTube stores your data as a user profile and uses them for the purposes of marketing, market research and/or customising its website. In particular, your data is evaluated this way in order to provide personalised advertising and notify other users of the social network of your activity on our website. You are entitled to object to the creation of these user profiles; you must contact YouTube if you wish to exercise this right.

See the privacy policy for more information on the scope and purpose of data collection and processing by YouTube.



In order for visitors to be forwarded to the site with the corresponding national language, the "GeoIP2" service from the company MaxMind ( is used. This service uses the IP address of the visitor to determine the country from which the site is being accessed. In so doing, there is no storage of the country classification for the respective IP. With regard to the handling of your personal data, please also refer to the data protection declaration of the company MaxMind, which you can access here.


h.Google remarketing

We use the remarketing technology from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). With this technology, users who have already visited our internet sites / online services and shown interest in the offering are appealed to again through targeted advertising on the sites of the Google partner network. The display of the advertising is done through the use of cookies, which are small text files that are stored on the computer of the user. With the help of these text files, user behaviour during the website visit can be analysed and then used for targeted product recommendations and interest-based advertising. You can find additional information on Google remarketing and Google's data protection declaration at: If you do not wish to participate in the remarketing process, you can also prevent the installation of the cookies necessary for this – for instance by using a browser setting that generally deactivates the automatic installation of cookies. You can also prevent the use of Google AdWords by downloading and installing the plugin provided through the following link: Alternatively, you can deactivate the use of cookies by third-party suppliers by going to the deactivation site of the Network Advertising Initiative at and implementing the additional opt-out information provided there.


i.Google Conversion Tracking

As an AdWords customer, we also use Google Conversion Tracking, an analysis service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). In this context, Google AdWords installs a cookie on your computer ("Conversion Cookie"), provided you arrived on our website through a Google advertisement. These cookies lose their validity after 30 days and are not used for personal identification. If you visit certain of our pages and the cookie has not yet expired, we and Google can see that someone has clicked on the advertisement and was thus forwarded to our site. Each AdWords customer receives a different cookie. Cookies therefore cannot be tracked through the websites of AdWords customers. The information obtained with the help of the Conversion Cookie serves to generate conversion statistics for AdWords customers who have chosen conversion tracking. Those AdWords customers have access to the total number of users who have clicked on their advertisements and were forwarded to a site with a conversion tracking tag. However, they receive no information allowing them to personally identify users. If you do not wish to participate in the tracking process, you can also prevent the installation of the cookies necessary for this – for instance by using a browser setting that generally deactivates the automatic installation of cookies. You can also deactivate cookies for conversion tracking by setting your browser so that cookies from the domain "" are blocked.



On our website, you will find plugins for the social network LinkedIn / the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA ("LinkedIn"). You can identify the LinkedIn plugins through the corresponding logo or the "Recommend" button. Please note that, during a visit to our website, the plugin establishes a connection between your internet browser and the LinkedIn server. LinkedIn is thus informed that our website was visited by your IP address. If you click the LinkedIn "Recommend" button and are simultaneously logged into your LinkedIn account, you have the option of linking content from our website to your LinkedIn profile. In so doing, you are thereby enabling LinkedIn to associate your visit to our website with you and your user account. You should be aware that we have no knowledge of the content of the data transmitted or its use by LinkedIn.


You can obtain additional information regarding details of data collection, your legal options and any settings options from LinkedIn. This information can be found here

Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield.



The companies who need access to your data so that we meet our contractual and legal requirements will receive access to your data. These companies fall into the categories of credit-lending services, IT services, logistics, printing services, telecommunications, advice and consultation, plus sales and marketing.


We are only permitted to forward information if statutory provisions demand this, we can prove there would be a legitimate interest or we have consent for this  or are specifically authorised. Potential recipients of personal data under these conditions include:


  • Public bodies and institutions (e.g. the Bank of England, Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities) if there is a statutory or official obligation to do so.
  • Other credit and financial service providers or similar institutions to whom we send personal data in order to maintain the business relationship with you (e.g. correspondent banks, credit agencies).
  • Other companies within our Group conducting a risk controlling process because of a statutory or official requirement to do so.
  • Other companies within our Group from which information can be provided that are suitable to the company’s interests and are confirmed as a legitimate interests.



Data will be sent to locations in states outside of the European Union ('third countries') if:

  • it is necessary for carrying out your orders (e.g. payment orders),
  • it is legally required (e.g. notification is obligatory under tax laws)
  • you have given us your consent to do so or
  • the company that is receiving the data is GDPR compliant.



We will process and store personal data for as long as is necessary to fulfil our contractual and legal obligations. Please note that our business relationship is a continuing obligation that is set up for years.


If the data is no longer required to fulfil contractual or legal obligations, it will be deleted periodically unless temporary further processing is required for the following purposes:


  • Fulfilment of a duty to preserve the data under commercial and tax laws, i.e. the UK Commercial Law, UK Company Law, HM Revenue & Customs, the UK Banking Act (2009), the Money Laundering Act and the UK Securities Trading Act (2001). These laws require data to be kept/documented for between two and ten years.
  • Retaining evidence in accordance with the statutory periods of limitation that apply.


GRENKE are responsible for data processing and safeguarding. We have appointed a Data Protection Officer (DPO) which can be contacted via post at GRENKE, FAO The Data Protection Officer, 2 London Square, Cross Lanes Guildford, Surrey, GU1 1UN

Any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal will be reported within 72 hours of its discovery to the DPO who will ensure a full investigation takes place and notify those involved, where the breach is likely to result in a high risk to the rights and freedoms of the individual involved.



Each individual we deal with has a right;

  • to be informed
  • of access
  • of rectification
  • of erasure
  • to set restrictions of processing
  • to object
  • the right to data portability
  • and rights in relation to automated decision making and profiling.


Each individual also has a right to complain to the Information Commissioner’s Office


You may withdraw your consent to your personal data being processed by us at any time. This also applies to the withdrawal of declarations of consent received before GDPR comes into force. Please note that this withdrawal will apply going forward. It will not apply to any data processed before the withdrawal.

You have the right, at any time, to opt out of any processing of your personal data taking for reasons relating to your own particular situation.

If you unsubscribe, we will not process your personal data anymore, unless we are able to prove that there are legitimate compelling reasons for the processing that prevail over your interests, rights and freedoms, or the purpose of the processing is to assert, exercise or defend legal claims.

In individual cases, we will process your personal data for direct marketing and profiling connected to marketing purposes. You have the right to opt out at any time; after which we will no longer process your personal data for these purposes.


The unsubscribe option will be available to you on every communication or you can contact directly.

To make a data request, individuals must contact GRENKE via telephone T +44 1483 401740, email or via post GRENKE, FAO The Data Protection Officer, 2 London Square, Cross Lanes Guildford, Surrey, GU1 1UN.

Information will be provided as soon as possible (1 month at the latest). This may be extended if the request is complex or numerous, in which GRENKE will notify the individual of this extension.


GRENKE will provide a description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restrictions and objections plus the source of the data.

Any rectifications will be carried out without undue delay and investigations will be taken into how the error occurred.