USE OF YOUR INFORMATION

We are MotoNovo Finance Limited, a subsidiary of Aldermore Group PLC and part of the FirstRand Banking Group. We are registered in Wales under number 11556144, and our Registered Office address is One Central Square, Cardiff, Wales, United Kingdom CF10 1FS. In this policy when we use terms such as “we”, “us” and “our”, we mean MotoNovo Finance Ltd. When we talk about personal data we mean any information that relates to an identifiable natural person – in this case, you.  Special categories of data mean personal data about an individual's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data for the purpose of uniquely identifying a person, data concerning physical or mental health or condition, sexual life, criminal offences or related proceedings. Any use of special categories of data must be strictly controlled in accordance with this policy.

This policy applies to personal data processed by or collected on behalf of MotoNovo Finance Limited.  We may collect information from you when you visit our website, apply for a job, or work for us using provided equipment or services (PCs, telephone, email, etc.) This policy applies to all "Staff", meaning all directors, consultants, employees, interns, volunteers and temporary staff of MotoNovo Finance Limited, including applicants, former applicants, former employees, agency, casual workers and contract.

This policy does not form part of your contract of employment or engagement. MotoNovo Finance Limited may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to you before being adopted. This policy supplements other policies relating to data protection, information security, criminal conviction checks and retention.

You should read this policy, so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it.  You should also read any other privacy policies that we give you, that might apply to our use of your personal data in specific circumstances from time to time. 

MotoNovo Finance Limited is a “Data Controller”.  This is a legal term which means that we make decisions about how and why we use your personal data.  As the “Data Controller”, we are responsible for making sure that your personal data is used in accordance with applicable data protection laws.  As Data Controller, we are required by law to give you the information in this policy. 

However, on occasions there may be other Data Controllers involved in processing your data as further explained in this Policy, or as you may be advised at the time your information is to be processed.

At the foot of this Policy we have included links to external web sites providing further information to help you.  We have also included details of contact points, including those for our Data Protection Officer, which you can use if you wish to ask us for further information or to exercise your rights. 

You will see at the end of this privacy policy that we mention the privacy policies of other organisations.  We do need to share these with you.  Please read them carefully and contact those organisations if you have questions (their details are in their policies).

 

WHAT WE WILL DO WHEN YOU APPLY

During the recruitment and employment process,  we will need to collect certain details from you for the purpose of entering into an employment agreement with you; administering any agreement with you; in order to undertake checks for the purposes of preventing fraud, money laundering, to verify your identity; to assess your creditworthiness; and if you access our website we collect information about your browsing experience, for the purposes of understanding and improving our website,  staff  experience and our products and services.

Roles within MotoNovo Finance Limited are advertised on our careers website as well as through job boards, other sites (such as LinkedIn), professional agencies and anyone else who acts as a person sitting in between you and us in relation to what we do for you.  In this policy we will call these persons “agencies and other intermediaries”. 

When an agency or other intermediary processes your personal data on our behalf, this privacy policy will apply, and you should contact our Data Protection Officer to exercise your rights under data protection laws.  When an agency or other intermediary processes your personal data as a data controller in its own right, its own privacy policy will apply, and you should ask them for a copy if you do not have one by the time you are introduced to us.

We work with our specialist recruitment partner, The Curve Group, to give candidates the best possible experience in pursuing a career with MotoNovo Finance Limited. As such, the personal details you submit will be processed on our behalf by The Curve Group. Their Privacy Policy can be found at the bottom of this policy. During the process, your details will be shared with MotoNovo Finance Limited.

 

WHAT WE COLLECT AND PROCESS

We will collect and process the following personal data about you:

Directly from you: 

  • Information you give us, or provide to a recruitment agency, when making an application or during your employment (Submitted Information), including: information entered when you apply for our roles, either via our Careers site, via application forms or entry in our on-boarding portal:
  • Face-to-face contact, telephone calls, emails, letters and other correspondence with us
  • Emails you have written related to others, for example, incidents that they’ve been involved in
  • Material you post on our social media pages
  • Information we have gathered from asking you to respond to surveys, although you do not have to complete them.

The information you give us comprises:

  • Your name, 
  • Date of birth, 
  • Residential address and address history for the last three years, 
  • Contact details such as email address and telephone numbers, 
  • Gender, 
  • Financial information including details of your bank account, tax status and National Insurance information, 
  • Employment details, to include your salary, employer name, address and time you have worked there, 
  • Reference details, 
  • Next of kin and dependant details
  • Special categories of personal data including information about your health, equal opportunities monitoring information including sexual orientation, ethnic origin and religion, trade union membership and information about criminal convictions,
  • Anything you may need from us to support you during your employment.

Data from third parties we work with:

  • Information we receive about you from third parties (Third Party Information) including 
  • Companies that introduce you to us
  • Social networks
  • Internal Fraud Database (Cifas & Oracle WatchList)
  • Agents working on our behalf
  • Government (HMRC) and Law Enforcement Agencies
  • Disclosure and Barring Service (DBS)

This information may include:

  • Your personal and financial information (from your referees, recruitment agency, your employer, or other person connected with your employment application), 
  • Credit information, such as previous lending you have, the conduct of accounts in your and your financial associate’s name (this is anyone linked to you for credit or finance purposes), any business accounts you have, 
  • Fraud prevention information and 
  • Public information such as County Court Judgments, bankruptcies and the Electoral Register.
  • Data we collect during your employment and when you use our services:

We will also collect your personal data during your employment and keep records of this data, this will include: your absence, leave & sickness history, benefits information, training and development, renumeration and tax information, health and safety information, your regular performance reviews and any actions or decisions taken as a result of applying any of our policies.

MotoNovo Finance also holds and processes the personal data of “Staff'” next of kin, family or friends for the purposes of emergency contact details and expression of wishes on insurance. 

We will also collect information derived from cookies when you use our website, which will include your IP Address unless you have declined to accept cookies. 

Fraud Screening (Cifas & Oracle WatchList):

We will check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff. 

We will regularly conduct screening checks of staff details using the Oracle Watchlist Service. This involves personal data being screened against Sanctions Lists of Politically Exposed and Special Interest Persons. This screening is to comply with Financial Crime obligations and the results of this screening may be shared with members of the Aldermore and FirstRand Group. 

“Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.

Special Category Information 

Special categories of data require a higher level of protection. Most often we may process this special category of data where; 

We need to carry out our legal obligations or exercise rights in connection with employment; 

Where the processing is necessary for the assessment of your working capacity, occupational health or obtaining a medical diagnosis or where it is needed in the public interest (such as equal opportunities monitoring); 

Where the processing is in the substantial public interest (such as equal opportunities monitoring); or 

In exceptional circumstances we may process this data with your explicit consent. 

We may combine the above information and use these categories of information and the combined information for the purposes set out below.

What should you do if your personal data changes?

You should tell us without delay so that we can update our records.   If you were introduced to us by an agency or other intermediary who is data controller in its own right, you should contact them separately. In some cases where you exercise rights against us under data protection laws (see below) we may need to inform the agency or other intermediary, but this will not always be the case.  

Do you have to provide your personal data to us? 

We are unable to employ you or to process your application without having personal data about you.  Your personal data is required before you can enter into the relevant contract with us, or it is required during the life of that contract, or it is required by laws that apply to us. We will need to collect it except as follows:  

In cases where providing some personal data is optional, we will make this clear. For instance, we will say in application forms or on our website or via the agency or other intermediary if alternative (such as work) telephone number contact details can be left blank.

 

HOW WE USE THE INFORMATION WE COLLECT ABOUT YOU

Personal data collected by us will be used by us at application stage and, if your application is successful, during the term of and after termination of the agreement, for the following purposes: 

To perform a contract we have has entered into with you or take steps before entering into a contract with you at your request, including:

  • Providing the services, and related administration and transactions relating to the contract
  • Administering and managing your pay and benefits, updating your records 
  • Sharing your personal data with certain third-party service suppliers such as payment service providers, pension providers, etc.
  • To manage how we work with other companies that provide services to us.

To comply with our legal obligations including:

  • Complying with employment, tax, immigration, anti-money laundering, terrorism health and safety and safeguarding laws, 
  • Preventing and detecting crime, 
  • Assisting the police and other authorities with their investigations
  • To carry out identify checks, your right to work in the UK, anti-money laundering checks and checks with Fraud Prevention Agencies pre-application, at the application stage and periodically after that. Where you have been introduced to us by an agency or other intermediary they may do these searches on our behalf;
  • For compliance with laws that apply to us, such as equality legislation and health and safety legislation;  
  • For establishment, defence and enforcement of our legal rights or those of any other member of Aldermore and FirstRand Group;  
  • To carry out monitoring and to keep records (see below); 
  • To deal with requests from you to exercise your rights under data protection laws;
  • To process information about a crime or offence and proceedings related to that (in practice this will be relevant if we know or suspect fraud);

Where necessary for our legitimate interests or those of a third party provided your interests and rights do not override those interests including:

  • Administering and managing your details and staff benefits; 
  • Employment and Recruitment Activities: which will mean verifying your identity; DBS Criminal Records Service checks; employment services; payroll and HMRC data administration; credit assessments using data from Credit Reference Agencies
  • Notifying you of local services available to you as you are an employee of us; 
  • Administering your bonus and incentive schemes and any payments from them; 
  • Administering any discount shopping service provided 
  • Defending employment claims brought by you
  • General Administration: which will mean auditing; reporting and accounting functions; statistical analysis and market research; credit and other funding decisions; credit, market, regulatory and operational risk management; systems testing; network monitoring; 
  • Marketing Activities: which will mean conducting staff surveys;  
  • Commercial Activities: which will mean assigning our rights or obligations to a third party; obtaining funding for our business, to understand and improve our products and services, and to create aggregate or statistical data to use for analytical or research purposes 
  • To test the performance of our internal processes;
  • To adhere to guidance and best practice under the regimes of governmental and regulatory bodies such as HMRC, the Financial Conduct Authority, the Prudential Regulation Authority, the Ombudsman, the Information Commissioner’s Office and under the Financial Services Compensation Scheme;
  • For management and audit of our business operations including accounting;
  • To carry out monitoring and to keep records (see below); 
  • To administer our good governance requirements and those of other members of our Group 
  • For some of our profiling and other automated decision making, in particular where this does not have a legal effect or otherwise significantly affect you

To protect your vital interests or those of another person 

  • where we know or have reason to believe that you or another person may suffer harm)

In circumstances where you have a genuine choice as to whether we should process your personal data, we will ask you for your consent

The method used to obtain your consent will depend on the scope and context of the processing that we propose.

 In relation to special categories of personal data and personal data relating to criminal convictions and offences, we may request your explicit consent unless a legal obligation applies which allows us to process such personal data without doing so.

If we do require your consent, then at the relevant time we will provide you with all of the information necessary to carefully consider our request. You will be under no obligation to provide your consent and you will suffer no detriment for not doing so. 

You also have the right to revoke that consent for future processing at any time

Credit checking, verifying your identity and preventing fraud and money laundering

We will use certain personal data you have provided to us in order to confirm your identity and to prevent fraud and money laundering, and to carry out a credit check on you by searching at credit reference agencies who will supply us with credit information about you If, for any reason, you do not provide this information we will not be able to proceed with credit reference and fraud prevention checks and, subsequently will not be able to fulfil your application and we will not be able to enter into the employment agreement with you.  Further details about these checks are provided below.

When we use your personal data for these purposes we do so on the basis that we have a legitimate interest in assessing your application, preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services you have requested, and we will not be able to process your application without undertaking these checks. 

Monitoring of your personal data

In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, emails, text messages, social media messages, face-to-face meetings and other communications.

MotoNovo Finance Limited may monitor your electronic communications and use of websites for the purpose of ensuring that its IT systems are being used in accordance with policies.  

MotoNovo Finance Limited is ultimately responsible for all business communications but, so far as possible; your privacy will be respected.  MotoNovo Finance Limited may, in its capacity as your employer, monitor your communications, including phone calls (which may be monitored and/or recorded) between Staff and customers, for reasons which include: providing evidence of transactions; ensuring that our procedures, policies and contracts with Staff are adhered to; complying with any legal or regulatory obligations; preventing or detecting crime, monitoring standards of service, staff performance, and for staff training; preventing or detecting unauthorised use of our IT systems or criminal activities; and maintaining the effective operation of our IT systems. 

MotoNovo Finance Limited may use software to monitor and record internet usage.  Please bear in mind that you may be called upon to justify the amount of time you have spent on the internet or the sites you have visited.  Internet access can be withdrawn from you at any time. 

Telephone, email and internet traffic data is monitored at a network level for the purposes set out above.  You should be aware that such monitoring might reveal special categories of personal data about you.  For example, if you regularly visit web sites of a particular political party or religious group, then those visits might indicate political opinions or religious beliefs. 

CCTV is in operation within shared spaces; the data is controlled by the landlords of the building for the purposes of safety, security and crime prevention. In exceptional circumstances MotoNovo Finance Limited may access this data, but only on a need to know basis where, for example, the CCTV footage is relevant and proportionate to a disciplinary investigation

On-site security is in operation within MotoNovo Finance Limited, whereby digital photographs, and details of access throughout the building may be captured and stored, for the purposes of safety, security and crime prevention. 

By carrying out such activities using MotoNovo Finance Limited communication facilities you acknowledge that MotoNovo Finance Limited may process special categories of personal data about you which may be revealed by such monitoring.

In certain exceptional circumstances, subject to compliance with any local laws and regulations, emails and the content of sites you have looked at or downloaded from the internet may be accessed e.g. when there is a reasonable suspicion that they may reveal evidence of unlawful activity or misconduct.

All incoming email is scanned using virus-checking software.  The software will also block unsolicited marketing email (spam) and emails which have potentially inappropriate attachments.  

Use of Automated Processing and Automated Decision Making 

We use automated processing at the application stage to assess your right to work in the UK. This means we attempt to match your personal details to publicly available information through sources such as the Royal Mail or Cifas. If for any reason we are unable to complete our formalities using this process you will be informed how you many complete the process using manual methods. 

Profiling

We use data generated from the careers section of our site to understand how it is operating, track certain advertising approaches and inform staff about newly advertised roles. For this we profile using data generated throughout your contact with us by our online applications and in strict accordance with our Cookie policy. 

We can do this activity based on our legitimate interests (and they are listed in the What we do with your data section above) only where the profiling and other automated decision making does not have a legal or other significant effect on you.  In all other cases, we can do this activity only where it is necessary for entering into or performing the relevant contract, is authorised by laws that apply to us, or is based on your explicit consent.  In those cases, you have the right to obtain human intervention to contest the decision (see ‘rights in relation to automated decision making which has a legal effect or otherwise significantly affects you’ below).  If you want to know more, please contact us using the details provided.

Data Anonymisation and the use of Aggregated Information

Your personal data may be converted into statistical or aggregated data which cannot be used to re-identify you.  It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this privacy policy.

 

WHO WE SHARE YOUR DATA WITH

In order to provide or assess suitability for employment, there will be times when we will share your data. These include:

Third Parties

We may transfer your personal data to third parties acting on our behalf, including without limitation, HMRC, Company Staff Benefits providers, incentive scheme payment services providers, and our service, system, support and outsourcing providers; regulatory bodies, and law enforcement and fraud prevention agencies, for administrative purposes, processing or for the operation and maintenance of your business with us.  

We may share your personal data with companies whom we have contracts in place for the supply of goods and services as part of providing service to our employees, such as our mailing house and web site suppliers. 

We may also disclose your personal data to our appointed representatives in connection with a contracted transaction between you and us.  This includes pension advisors, payroll and HR service providers, benefit providers, insurers, and any party described in the terms and conditions of the employment contract you hold with us. We will have in place an agreement with our service providers which will restrict how they are able to process your personal data. If any service provider is based outside of the European Economic Area (EEA), we will ensure that we have an appropriate contract for the international transfer of personal data with them. 

We may share your personal information with these organisations

SUPPLIER - ORGANISATION

CATEGORY

Activa

Company Car Fleet

ADP

Payroll & Employee Management

Aviva

Benefits

Computershare

Child Care Vouchers

The Curve Group

Recruitment

FCA

Regulatory

HMRC

PRA

Halfords

Cycle to Work Scheme

Independents

HR Consultancy

Towers Watson

Oracle

Employment Management & Screening

Symatrix

Employment Management 

Verifile Screening
Zurich

Benefits Insurance

Employee Assistance Program

HARBOUR Data Processor

Please note: this list includes our main HR suppliers but is not comprehensive. Previous suppliers (for instance pension providers) may still hold your data but are not included. If you have specific queries about who we share your personal data with, please contact us.

Companies in our group

We may transfer your personal data to companies within the FirstRand Bank Ltd and Aldermore Groups its establishments and trading divisions as follows:

  • Aldermore Group plc 
  • Aldermore Bank plc
  • FirstRand Bank Ltd (London Branch)
  • Wesbank
  • RandMerchant Bank (RMB)
  • First National Bank
  • FirstRand International (Guernsey) Ltd 
  • RMB International UK Ltd 
  • Ashburton Investments Holdings Ltd 

Sharing where we are obliged under a legal obligation

We will disclose your personal data in order to comply with any legal regulations or good governance obligations, or to enforce or to protect our rights, property, or safety, or that of our customers or other persons with whom we have a business relationship. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Credit Reference Agencies

We will supply certain of your personal information to credit reference agencies and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. Credit reference agencies will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. 

Where you are a director or partner in a small business, we, may also check the record on your business, so you should make sure you discuss this with anyone concerned, and share with them this information, before lodging the application.

If you are financially linked to another person (for example if you have a joint mortgage or loan) your credit reference agency records will be linked until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.  If you are financially linked to another person, this application may impact on their credit record (and their record could impact your application) so you should make sure you discuss this with them, and share with them this information, before lodging the application.

Whether or not this application proceeds, the credit reference agency will place a record of our search on your credit file (commonly referred to as a "footprint").  This record (but not our name) will be seen by other organisations when you apply for credit in the future. A large number of applications within a short period of time could affect your ability to obtain credit.

Credit Reference Agencies update:

The CRAs also collect and use personal data for marketing and data profiling activities, to create data modelling tools. These tools are used to model customer behaviour to support marketing, research, brand and product communication campaigns. You can find out more about how CRAs use your data and how you can opt out at www.experian.co.uk/privacy/consumer-information-portal/

Sharing information with Cifas & Oracle Watchlist

We will check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct (“Relevant Conduct”) carried out by their staff and potential staff.  We will regularly conduct screening checks of staff details using the Oracle Watchlist service. This involves personal data being screened against Sanctions Lists of Politically Exposed and Special Interest Persons. This screening is to comply with Financial Crime obligations and the results of this screening may be shared with members of the Aldermore and FirstRand Group. “Staff” means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term. 

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other relevant conduct and to verify your identity. 

Details of the personal information that will be processed include: name, address, date of birth, any maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed. 

We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime. 

We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us.

Cifas will hold your personal data for up to six years if you are considered to pose a fraud or Relevant Conduct risk.

Consequences of Processing

Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your employment with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally). 

Your Rights 

Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data. 

For more information or to exercise your data protection rights please, please contact us using the contact details provided. 

You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.

A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact us using the details provided. 

Should Cifas decide to transfer your personal data outside of the European Economic Area, they will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

Sharing references with other employers 

If a request for a reference is made from an external company, MotoNovo Finance Limited will disclose only the dates you were employed, reason for leaving and your latest job title. If further information is requested, for instance for Senior Management and Certification Regime (SMCR) roles, we will respond to specific questions

Sharing information with partners for pre-employment screening (PES)

MotoNovo Finance Limited requires you to complete Pre-Employment Screening (“PES”), which is also known as vetting or background checks.  To complete this, we work with Verifile and other trusted third-party suppliers and will need to share your personal details and relevant documents with them (a link to their privacy policy can be found in the Useful links section). This will include, upon request, the full disclosure and provision of documentation or information to complete each individual element of PES. Based on your role, we will inform you the elements required and the information which will be shared. You will receive details about this at the offer stage of your engagement with us. 

Sharing under change of business ownership 

In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

If MotoNovo Finance Limited or substantially all of its assets are acquired by a third party, the personal data we hold about our employees will be one of the transferred assets.

Transfer of Undertakings and Protected of Employment (TUPE) is designed to preserve employees’ terms and conditions of employment when either a business or undertaking is transferred to a new employer, or there is a ‘service provision change’ (for example, contractor A takes on a contract to provide a service for a client from contractor B and the same staff provide the service). These transfers or changes in service provision are referred to as ‘relevant transfers’. We will give the new employer the following information (known as ‘employer liability information’) before the transfer takes place:

  • Identity (usually the name) and age of the employees who will transfer. 
  • Information contained in their ‘statements of employment particulars’, such as written statement of pay, hours of work, holidays and so on (usually contained in the employee’s offer letter or contract of employment). 
  • Information about any relevant collective agreements. 
  • Details of any disciplinary action taken against an employee in the last two years. 
  • Details of any grievance action raised by an employee in the last two years. 
  • Details of any legal action (before the court or employment tribunal) brought against the employer by an employee in the last two years and information about any potential legal action.
  • Data Privacy Notices from Other Organisations

We have mentioned that we share your personal data with Cifas.  They require us to pass on to you information about how they will use your personal data to perform their services or functions as data controllers in their own right. We also work with Agencies, intermediaries and various external companies who provide services and employee benefits. Each of these companies has their own privacy notices, which are separate to our own

Transferring Data Abroad

We will only send your data outside of the European Economic Area (EEA) to:

  • Follow your instructions
  • Comply with a legal duty
  • Work with our agents who we use to help us provide services to you

Safeguards include contractual obligations imposed on the recipients of your personal data. Those obligations require the recipient to protect your personal data to the standard required in the European Economic Area. Safeguards also include requiring the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing and where the framework is the means of protection for the personal data.

We protect your data using robust security and IT encryption measures in line with MNFL Security Policies. You should also note that whenever fraud prevention agencies transfer your personal data outside of the European Economic Area (EEA), they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. For information about data transfers of your personal data outside the EEA, please contact us.

 

DATA RETENTION AND STORAGE

All personal data you provide to us, or which we obtain from third parties, will be stored on our secure servers (or those of third parties or contractors we engage to help us run our business).  We will keep information no longer than we need to for the purpose for which we collected it.  The period of time for which we keep personal data depends on the legal and regulatory requirements, the purpose for which the information was obtained, and our business needs.

If your application is declined, we shall keep your personal data for up to 12 months in order to allow us to answer any queries which you may have about your application or to respond to any claims (Credit Reference Agencies may keep your data for longer).  We do so on the basis that we have a legitimate interest in responding to such queries.

We only keep your data for as long as necessary and there are different retention periods for different categories of data. A copy of our retention policy and associated schedule can be found on our intranet.

Data on Tapes / ICO guidance:

Personal data may be held for a longer period due to business continuity and backup procedures. This is in line with ICO guidance on retention of data which has been backed up (please see Useful Links). This information is not accessible on MNFL systems and will not be used for any other purpose.

 

YOUR RIGHTS

You have the following rights (subject to certain statutory exemptions): 

  • To opt-out of receiving marketing information, or withdraw your consent to receive marketing information if provided on a previous occasion;
  • To be informed about the processing of your personal data (this is what this statement sets out to do). We must be transparent with you about the processing that we do with your personal data.  This is why we have a privacy policy.  The information that you supply is determined by whether we collected your personal data directly from you or indirectly via someone else (such as an agency or other intermediary).  Your right to be informed may be relevant if you consider it necessary to ask for more information about what we do with your personal data.;
  • To have your personal data corrected if it’s inaccurate and to have incomplete personal data completed in certain circumstances. If we have disclosed the personal data in question to other organisations, we must inform them of the rectification where possible.  Your rights in relation to rectification may be relevant if you consider that we are processing inaccurate or incomplete information about you;
  • To object to processing of your personal data where it is based on legitimate interests, or where it is processed for the purposes of statistics.  Your rights to object may be relevant if you wish to find out more about what legitimate interests we rely on (they are listed in our privacy policy). You can object to profiling including automated decision making which has a legal effect or can otherwise significantly affect you (see below) 
  • To withdraw your consent (when previously given) to processing of your personal data; 
  • To restrict processing of your personal data for instance where you contest it as being inaccurate (until the accuracy is verified); where you have objected to the processing (where it was necessary for legitimate interests) and we are considering whether our organisation’s legitimate interests override your own; where you consider that the processing is unlawful (and where this is the case) and where you oppose erasure and request restriction instead; or where we no longer need the personal data for the purposes of the processing for which we were holding it but where you require us to continue to hold it for the establishment, exercise or defence of legal claims.;
  • To have your personal data erased; (also known as the “right to be forgotten”).  This enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.  This right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected.  It may be relevant where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; if the processing is based on consent which you then withdraw; when you object to the processing and there is no overriding legitimate interest for continuing it; if the personal data is unlawfully processed; or if the personal data has to be erased to comply with a legal obligation.   Requests for erasure may be refused in circumstances such as where the personal data must be retained to comply with a legal obligation or to exercise or defend legal claims.
  • To request access to your personal data, to obtain confirmation that it is being processed, and to obtain certain prescribed information about how we process it.  This may assist if you wish to find out what personal data we do have about you to then determine if you can exercise other rights (those mentioned above and below).  You can exercise this right by contacting us. There is no charge for this service and we will respond within one month (except in extenuating circumstances).   There are exceptions to disclosure of your personal data, for example where the data is protected by legal professional privilege or any data from which a third party could be identified. 
  • To move, copy or transfer your personal data (“data portability”). This allows individuals to obtain and reuse their personal data, which they have provided to the data controller, for their own purposes across different services; to move copy or transfer their personal data easily from one environment to another in a safe and secure way without hindrance to usability.  This right can only be relevant where personal data is being processed based on a consent or for performance of a contract and is carried out by automated means. This right is different from the right of access (see above) and that the types of information you can obtain under the two separate rights may be different. You are not able to obtain through the data portability right all of the personal data that you can obtain through the right of access.; and
  • Rights relating to automated decision making which has a legal effect or otherwise significantly affects you. This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention.  This right is different from the more general right to object to profiling (see above) because that other right is not tied to a scenario where there is a legal effect on you or where the processing otherwise significant affects you.  Data protection laws prohibit this particular type of automated decision making except where it is necessary for entering into or performing a contract; is authorised by law; or where you have explicitly consented to it.  In those cases, you have the right to obtain human intervention and an explanation of the decision and you may be able to challenge that decision  

If you are unhappy about how your personal data has been used you can contact us using the details below. You also have a right to complain to the Information Commissioner's Office (https://ico.org.uk), which regulates the processing of personal data.                        

If you:

  • Would like more information about how we process personal data;
  • Are unable to access of any of the links or further information referred to in this document; or
  • Would like to exercise any of your data protection rights,

Please contact us using the contact details set out at the bottom of this policy.

 

CREDIT REFERENCE AGENCY INFORMATION NOTICE

The Credit Reference Agencies we use have produced a Credit Reference Agency Information Notice ("CRAIN") which details how they will use your data after we provide them with your Agreement information. The CRAIN is available at www.experian.co.uk/crain; www.equifax.co.uk/crain.html or www.callcredit.co.uk/crain.

Useful Links

ICO website

ICO Data Retention / Right of Erasure Guidance

CIFAS

CIFAS Privacy Notice

Curve Group Privacy Notice

 

Contacting Us

We can be contacted by telephone on 0333 200 0030 or email info@motonovofinance.com.

You can contact our Data Protection officer at the following address:

Data Protection Officer

MotoNovo Finance Limited

Cardiff 

CF10 1FS

Email DPO@motonovofinance.com 

You can send HR related queries and requests to HR@motonovofinance.com