fbpx

Privacy policy

Privacy Policy

This privacy policy sets out how “Leasing Made Easy Ltd” uses and protects any information that you give ” Leasing Made Easy Ltd then you use this website.

“Leasing Made Easy Ltd” is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

“Leasing Made Easy Ltd” may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 01/12/19

What we collect

We may collect the following information:

  • name and job title
  • contact information including email address
  • demographic information such as postcode, preferences and interests
  • other information relevant to customer surveys and/or offers

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

 

  • Internal record keeping.
  • We may use the information to improve our products and services.
  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.

    How we may share your information

    We may share your information with selected third party suppliers, where we deem that there is a legitimate interest to do so – this is our legal basis for sharing this information.

        Security

        We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

            How we use cookies

            A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

            We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

            Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

            You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

                Links to other websites

                Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

                    Controlling your personal information

                    You may choose to restrict the collection or use of your personal information in the following ways:

                    • whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
                    • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at info@leasingmadeeasy.co.uk

                    We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

                    You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee will be payable. If you would like a copy of the information held on you please email info@leasingmadeeasy.co.uk or write to 14 Acre Grove Much Hoole Preston PR4 4QD believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

                      WHY DATA IS IMPORTANT

                     It is essential that those that collect and use personal data to maintain the confidence of those who are asked to provide it by complying with the requirements of the Data Protection Act. All Data Controllers must comply with the six principles that are at the heart of the Act, including the requirement to obtain and process data fairly.

                    INDIVIDUAL RIGHTS

                     Under the Act any individual concerned has a right to see almost all personal information held about them, whether it is stored on computer or in manual form. Information held by the firm must not be amended/deleted following a request to use it. In the event of receiving a so-called ‘subject access request’ please refer to ‘Subject Access Procedures’.

                    PERSONAL OBLIGATIONS OF ALL STAFF

                    • All staff who deal with personal information are required to handle that information confidentially and sensitively.
                    • Staff undertake to process personal data supplied by the firm only in accordance with the firm’s instructions.
                    • Staff obligations in respect of the Data Protection Act form part of their contract of employment.

                    THE DATA PROTECTION PRINCIPLES

                    The Act sets out 6 principles, which define the obligations of the firm as a registered data user of personal data. These principles are as follows: – Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the Data Controller towards the individual.

                    • First data protection principle – processing must be lawful and fair.
                    • Second data protection principle – purposes of processing must be specified, explicit and legitimate.
                    • Third data protection principle – personal data must be adequate, relevant, and not excessive.
                    • Fourth data protection principle – personal data must be accurate and kept up to date.
                    • Fifth data protection principle – personal data must be kept for no longer than is necessary.
                    • Sixth data protection principle –personal data must be processed in a secure manner.

                    PROCESSING PERSONAL DATA

                    Processing of personal data can be broadly defined when any operation is carried out on personal data. The Act requires that personal data be processed ‘fairly and lawfully’. Personal data will not be considered to be processed fairly unless certain conditions have been met. Processing may only be carried out where one of the following conditions has been met:

                    • The individual has given his or her consent to the processing.
                    • The processing is necessary for the performance of a contract with the individual.
                    • The processing is necessary to protect the vital interests of the individual.
                    • The process is necessary to carry out public functions.

                     COLLECTING PERSONAL DATA

                    When collecting personal data it is essential that people know:

                    • Who you / we are
                    • What the data will be used for
                    • To whom it will be disclosed This information can often be provided on an application form or similar document. Data Protection wording is included within the firm’s application package, which when signed by the customer provides necessary comments for processing the customer’s data. When handling, collecting, processing, or storing personal data staff must ensure that:
                    • All personal data is both accurate and up to date.
                    • Errors are corrected effectively and promptly.
                    • The data is deleted/destroyed when it is no longer needed.
                    • The personal data is kept secure at all times (protecting from unauthorized disclosure or access)

                    The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose. Any changes could affect the company’s existing registration with the Data Protection Registrar and an amendment to the registration sought. It is equally important not to:

                    • Access personal data that you do not need for your work.
                    • Use the data for any purpose it was not explicitly obtained for.
                    • Keep data that would embarrass or damage the firm if disclosed (e.g. via a subject access request)
                    • Transfer personal data outside of the European Economic Area unless you are certain you are entitled to or consent from the individual concerned has been obtained.
                    • Store / process / handle sensitive data unless you are certain you are entitled to or consent from the individual concerned has been obtained.

                    RIGHTS OF INDIVIDUALS

                    MAKE INFORMATION AVAILABLE TO INDIVIDUALS

                    The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing people with clear and concise information about what we do with their personal data. The controller is required to make available to the data subject a range of information, including:

                    • the identity and contact details of the controller and the data protection officer;
                    • the purpose for which their personal data is being processed;
                    • the existence of their right to exercise any of the below rights;
                    • the legal basis for the processing of their personal data; and · the retention period or criteria used to determine the retention period.
                    • Confirmation from the controller whether or not a data subject’s personal data is being processed and, if this personal data is being processed, access to that personal data.

                    RIGHT TO RECTIFICATION

                    • The controller must, if requested, rectify or complete inaccurate or incomplete personal data. · A controller must notify the competent authority (if any) from which the inaccurate personal data originated, where this personal data has been rectified.
                    • A controller must notify the recipients of personal data, where personal data which been rectified, which has been disclosed by the controller. Similarly the recipient must rectify the processing of the personal data in so far as they retain responsibility for it.
                    •  RIGHT TO ERASURE OR RESTRICTION OF PROCESSING
                    • The controller is obliged, if conditions are met, to erase personal data or restrict its processing without delay.
                    • A controller must notify the recipients of personal data, where personal data which been erased or restricted which has been disclosed by the controller. Similarly, the recipient must erase or restrict the processing of the personal data in so far as they retain responsibility for it.

                    RIGHT TO RESTRICT PROCESSING

                    • Individuals have a right to ‘block’ or suppress processing of personal data.
                    • When processing is restricted, you are permitted to store the personal data, but not further process it.
                    • You can retain just enough information about the individual to ensure that the restriction is respected in future.

                    RIGHT TO OBJECT Individuals have the right to object to:

                    • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) – for this individuals must have an objection on “grounds relating to his or her particular situation”.
                    • direct marketing (including profiling) – you must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
                    • processing for purposes of scientific/historical research and statistics. Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

                    SUBJECT ACCESS REQUESTS Clients have a right to:

                    • Request (a ‘subject access request’) details of the processing relating to them. This includes any information about themselves including information regarding the source of the data
                    • To have any inaccurate data corrected or removed.
                    • In certain circumstances to stop processing likely to cause ‘substantial damage or substantial distress’
                    • To prevent their data being used for advertising or marketing.
                    • Not to be subject to certain ‘fully automated decisions’ if they significantly affect him / her When a subject access request is received, it is important to:
                    • Treat the requester with courtesy and try to understand what exactly is being sought.
                    • Act promptly and effectively as certain timescales are imposed regarding response.

                    DATA SECURITY OBLIGATIONS

                    Firms have a responsibility under FCA Regulations to put in place systems and controls that keep the data of customers secure whilst also minimising the risks of data loss. The nature of the steps that firms will be expected to take will depend on the size, complexity and nature of the services that the firm provides. We recommend that firms seek expert advice about both assessing their data security risks and formulating appropriate policies, as these will be unique to individual firms. Example of policies that firms could be expected to implement in order to comply with the above include but are not limited to requirements that:

                    • Customer data cannot be taken off site by staff, salespeople, suppliers, IT consultants or contractors where laptops and other devices (USB sticks, CDs, hard disks etc.) are not encrypted
                    • Where data is taken off on site there is automatic encryption of devices or other appropriate measures
                    • Where customer data is transferred electronically firms use secure internet links
                    • Access to sensitive areas (call centres, server rooms, filing rooms) is restricted
                    • Staff will not be able to access data that they do not need for their roles
                    • Staff handling large volumes of data do not have access to internet e-mail
                    • Super users/staff with large amounts of access to data are monitored
                    • Staff data access rights are reviewed to ensure that they remain appropriate
                    • When staff members leave their user accounts are permanently deleted
                    • Paper files are locked away
                    • Staff dispose of hard data securely through physically destroying data e.g. by using shredders or using confidential waste bins
                    • There are robust password standards and that passwords are not shared 
                    • That there are individual user accounts requiring passwords for all systems containing customer data
                    • Systems operate in such a way as to prohibit the setting of passwords which do not comply with password policy
                    • Data is securely wiped before computers are disposed or transferred to new users
                    • There is some mechanism to check that hard and electronic data is being destroyed competently
                    • Firms understand what checks are done by employment agencies it uses
                    • There are enhanced vetting procedures for staff with large amounts of access to customer data
                    • Customers’ identities are authenticated using, for example, touch-tone telephone before a conversation with a call centre adviser takes place
                    • There are clear & consistent procedures for backing up data
                    • Backed up data is limited to appropriate staff
                    • Backup tapes are held securely
                    • An accurate register of laptops issued to staff is maintained
                    • That there is wiping of shared laptops’ hard drives between uses
                    • Firms have security measures in place to protect data e.g. alarm systems, grilles on windows & keypad entry doors
                    • There is a robust policy for logging visitors in and out

                    DEALING WITH DATA SECURITY INCIDENTS / DATA BREACH

                    When a personal data breach has occurred, we will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it. However, if we decide we don’t need to report the breach, we need to be able to justify this decision and we must document it.

                    If we determine that we need to report the data breach to the ICO then we must do so within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then we must also inform those individuals without undue delay.

                    If you have a complaint about data protection at Leasing Made Easy, please contact our privacy officer at info@leasingmadeeasy.co.uk

                    Alternatively contact our supervisory authority for data protection compliance: www.ico.org.uk

                    Information Commissioner’s Office

                    Wycliffe House
                    Water Lane
                    Wilmslow
                    Cheshire
                    SK9 5AF

                    Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)