Suttons and Robertsons is a trading name of Hopkins & Jones Ltd, 88 Fleet Street, London EC4Y 1DH. Registration Number: 433606; Data protection registration number ZA331442. We are responsible under data protection laws for our processing of your personal information which we also refer to as personal data in this Policy. Your personal information means any data which, either by itself or with other data held by us or available to us, can be used to identify you. Further details of the personal information we process about you is set out below in this Policy.
We understand that your privacy is extremely important to you. As a result we have put in place a number of measures to ensure that any personal data we obtain from you is processed and maintained in accordance with accepted principles of good information handling also in accordance with the data protection laws. This Policy provides you with details of the type of personal information we may hold about you, how we obtain and use any personal information and how we protect your privacy.
1. OBTAINING YOUR PERSONAL INFORMATION
1.1 – The personal information we collect about you may be stored and processed electronically in hard copy records. It is collected by us from the following sources:
- (a) from you;
- (b) from third parties, such as fraud prevention agencies when you apply for an account or any other product or service or which you or they give to us at any other time;
- (c) from the way you use and manage your account(s), from your transactions and from the payments made to your account; and
1.2 – If you email a question to email@example.com, or register your interest in our product(s) or service(s), then it will be necessary for us to collect and process your personal information about you in order to email a reply or, respond to you.
1.3 – The categories of your personal information that we may collect are as follows:
- 1.3.1 – Directly from you
Personal information such as, but without limitation:
- E-mail address
- Home address and residential status (i.e. whether you are a homeowner or renting)
- Telephone numbers if provided
- Date of birth
- The name of your employer
- Income details, including your pay dates, amount of pay and any other income
- Expenditure details
- Bank account details, including debit card details
- Marital status
- Any other information you choose to provide to us, such as if you contact us via email and include additional information about yourself in that message.
We are unable to provide you with the product or service you are applying for unless we collect this personal information from you. In cases where provision of certain information is optional, we will make this clear as part of the application process, including if you are seeking your consent to process it (as relevant).
In addition, see the information in paragraph 4 since we may collect your personal information from credit reference fraud prevention agencies.
2. USE OF COLLECTED INFORMATION AND THE LEGAL BASIS FOR THIS
2.1 – The information we collect about you will be recorded electronically may be used in the following ways:
2.1.1 – To verify your identity and to enable us to consider and process your application for a Pawnbroking loan or other products or services. Our legal basis for processing your personal information for this purpose is that it is necessary for our legitimate interests of carrying out our business of providing our products and services. This is also necessary in preparation for entering into a contract with you.
2.1.2 – To detect, prevent and investigate actual potential fraud related activities. Our legal basis for this is complying with our legal obligations.
2.1.3 – To collect payment from you. Our legal basis for processing your personal information for this purpose is that it is necessary for our legitimate interests of carrying out our business and providing our products and services. This is also necessary to perform the contract we have with you.
2.1.4 – To develop, manage and market products and services to meet your needs, our legal basis for processing your personal information for this purpose is our legitimate interest. To contact you for external products and services that may be of interest, to determine your eligibility for different external products and services that you may be interested in- this we describe as Direct Marketing. Our legal basis for processing your personal information for this purpose is your consent.
2.1.5 – To help us to administer and service your account with us. Our legal basis for processing your personal information for this purpose is that it is necessary to perform our contract with you and also for our legitimate interest in order to provide you with the necessary service following your purchase of one of our products.
2.1.6 – To contact you in connection with your enquiry, even if you do not proceed to complete an application with us. Our legal basis for processing your personal information for these purposes is that it is necessary for our legitimate interests of servicing requests for information from people who might become customers of finding out why you decided not to proceed so that we can in the future better our product and service offerings to customers in general. In the unlikely event that we include Direct Marketing information in these calls we will only do so where we have your consent.
2.1.7 – To extract certain information for the purpose of generating statistics for our own internal purposes (including market product analysis). Where we do this statistic related processing in order to improve our own internal processes, our legal basis for processing your personal information for these purposes is that it is necessary for purposes of legitimate interests pursued by us (which are development improvement of our products and services).
2.1.8 – To update our website to better meet our clients’ needs in the future. Our legal basis for processing your personal information for this purpose is that it is necessary for purposes of legitimate interests pursued by us (which are ensuring that the Website is presented as effectively as possible for you).
2.1.9 – To notify you about changes to our service. Our legal basis for processing your personal information for this purpose is that it is necessary for our legitimate interests of updating you if there is a change to our service we need to tell you that because e.g. it might impact a current product you have, for instance if a store is closed where your pawnbroking pledge is being held it will be necessary to contact you to let you know when the store will open again or an alternative location where you can redeem your pledge.
2.1.10 – To comply with legal regulatory requirements to which we are subject, to establish and defend legal rights, to prevent, detect and investigate crime to deal with requests to exercise your rights under data protection law (as relevant). The legal basis for this is compliance with our legal obligations.
3. SHARING YOUR INFORMATION WITH THIRD PARTIES
3.1 – We may share your personal information with any member of our group or affiliated companies for the reasons set out above who may process your personal information for the purposes described in Section 3.2.1 (onwards) below.
3.2 – Sometimes (and with your approval where required), we will share your information with carefully selected third parties outside our group. We may do this for the following reasons:
3.2.1 -To our agents, staff and approved third parties to carry out services for us (such as providers of legal professional services (including auditors) third parties who send communications on our behalf). Our legal basis for processing your personal information for this purpose is that, in the majority of cases, it is necessary for our legitimate interests (these are described above throughout section 2.1 above) to perform our contract with you (or in order to take steps at your request prior to entering into a contract with you).
3.2.2 – To facilitate the processing of debit card and credit card payments made by you, we may also share your personal data with third party payment processing service providers. This is processing that is necessary for our legitimate interests.
3.2.3 – To provide you with information about special promotions and offers as referred to in the “Keeping You Informed” section below. Our legal basis for processing your personal information for this purpose is our legitimate interest.
3.2.4 – To protect us, our group of affiliated companies or others. We may share your information with third parties when we believe it is necessary to comply with the law or protect our or another person’s rights, property, or safety. This includes exchanging information with third parties (such as other lenders, law enforcement agencies and regulatory authorities) to protect against fraud and reduce risks. Our legal basis for processing your personal information for this purpose is that it is necessary for compliance with our legal obligations and in other cases it may be for our legitimate interests of responding to requests from law enforcement agencies.
3.2.5 – If there is (or is to be) any change in ownership of our business or assets then we may wish to share your information so that the new (prospective) owners may continue to operate our business effectively and continue to provide services to our customers. This may include new shareholders or any organisation that might take an assignment or transfer of any agreements we have entered into with our customers. Our legal basis for processing your personal information for this purpose is that it is necessary for purposes of legitimate interests pursued by us and/or new (prospective) owners (which are, for new/prospective owners, shareholders other organisations acquiring our business, to conduct due diligence in order to make a decision around acquiring our business (or a stake in our business). The purchaser of our business assets may then rely on its own lawful reasons for processing when it has your personal information – you should refer to its privacy notice.
3.2.6 – We may share your personal information with other people if you give us consent – this would be our legal basis for that sharing.
We will place appropriate obligations and restrictions on third parties to protect your personal information, in line with our obligations under data protection laws.
In addition see the information in paragraph 4 since we may share your personal information with fraud prevention agencies.
4. FRAUD PROTECTION AGENCIES
4.1 – Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, to verify your identity. These checks require us to process personal data about you.
4.1.1 – The personal data you have provided, we have collected from you, or we have received from third parties may include your:
- date of birth
- residential address history
- contact details such as email address telephone numbers
- financial information
- employment details
- identifiers assigned to your computer or other internet connected device including your Internet Protocol (IP) address
- vehicle details
When fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, to verify identity, in order to protect our business to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
We, fraud prevention agencies, may also enable law enforcement agencies to access use your personal data to detect, investigate and prevent crime.
Fraud and prevention agencies can hold your personal data for different periods of time, if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
4.1.2 – As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if:
- our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or
- you appear to have deliberately hidden your true identity.
You have rights in relation to automated decision making: if you want to know more please contact us using the details above.
4.1.3 – If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
4.1.4 – Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
4.1.5 – Your personal data is protected by legal rights, which include your rights to:
- object to our processing of your personal data;
- request that your personal data is erased or corrected;
- request access to your personal data.
For more information or to exercise your data protection rights, please contact us using the contact details below.
If you are unhappy about how your personal data has been used please refer to our company complaints policy (a copy of this is also available in store). You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data https://ico.org.uk/.
4.2 – AUTOMATED DECISIONS MAKING INCLUDING PROFILING
4.2.1 – You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
5. USE OF YOUR INFORMATION OUTSIDE OF THE UK
5.1 – Some companies within our group of affiliated companies, sometimes other third parties with whom we share personal information, are or may be located outside the UK and the EEA (as it is made up from time to time). In addition, some of our service providers may be located outside the UK and the EEA or use data processing locations outside the UK and the EEA.
When we share your personal information with these certain other third parties, your personal information will be transferred outside of the UK (and in some cases outside of the EEA). Where adequate protections for your personal information do not exist under applicable laws, steps will be necessary to ensure that appropriate safeguards apply to maintain the same levels of protection as are needed under UK data protection laws.
Safeguards include contractual obligations imposed on the recipients of my personal data. Those obligations require the recipient to protect my personal data to the standard required under UK data protection laws. Safeguards also include requiring the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing where the framework is the means of protection for the personal information. For more information about these appropriate safeguards, others as may be relevant from time to time, including to obtain a copy of them or to find out where they have been made available, you can contact us using the details below.
6. METHODS OF CONTACT
Unless you have advised us to the contrary, we may contact you by telephone, SMS, post or email to send you information communications about your application the product or service you obtain from us if that application is successful. These are service communications not marketing. (Please see the ‘Keeping You Informed’ section below regarding how you may be contacted for marketing purposes).
7. WHAT CRITERIA DO WE USE TO DETERMINE HOW LONG WE KEEP YOUR PERSONAL INFORMATION
7.1 – How long we keep your personal information for depends on the basis on which it was provided, generally however:
7.1.1 – We will keep the information that is necessary to enable us to provide you with a service that you have requested for as long as it takes us to provide that service.
7.1.2 – If you have asked that we do not use your details for marketing purposes, we may still need to keep them in relation to that purpose to ensure our systems reflect your preferences.
7.1.3 – We will keep records of any transactions you enter into so that we can respond to any complaints or disputes that arise and deal with any claims in relation to such transactions (including protecting or enforcing our legal rights). Otherwise we will keep the information where appropriate for our legitimate business needs for as long as necessary to do so, such as for the purposes of regulatory reporting, auditing, anti-money laundering/fraud investigations and credit file reporting.
7.1.4 – If you apply for a product or service and are unsuccessful, we will keep your personal information for as long as we reasonably need to in case of questions or queries from you in relation to the application.
7.1.5 – We will keep other personal information about you if it is necessary for us to do so and to comply with the law or our regulatory obligations, or where appropriate for legitimate business needs (including the purposes described at section 7.1.3 above).
8. KEEPING YOU INFORMED
8.1 – From time to time we would like to contact you by SMS, post, email, or telephone, with offers relating to products of ours which we think you might be interested in. We will not offer you Direct Marketing products from external third parties.
8.2 – If you do not want these communications, you can advise us and we will not communicate further to you in this way. Please contact us to opt-out. You can also change your mind at a later date.
8.3 – If you do indicate in the way described at section 8.2 that you do not want to receive communications from us, please note that this will not prevent us from being able to provide you with the products or services you are applying for – this is separate to the issue of marketing communications. You will not receive any marketing from us and we will not share it with anyone else for it to send marketing to you.
If you provide us with your consent, you have the right to withdraw it at any time by emailing firstname.lastname@example.org or by requesting this in store. We will process your request to withdraw consent for marketing communications as promptly as possible, however this may take up to 5 working days, during which time you may still receive marketing communications from us. In addition certain rights under privacy law can be relevant where processing of your contact details is based on consent such as erasure portability – please see below.
9. YOUR RIGHTS IN RELATION TO YOUR PERSONAL INFORMATION
The rights explained in this paragraph apply to you in relation to the company which is data controller of your information. The data controller is the entity which determines the purposes and means of the processing of your personal information. We are a data controller of your personal information therefore you are entitled to make requests to us to exercise your rights in relation to your personal information controlled by us. However, we can only comply with your requests to the extent that we are a data controller of your personal information – if your request relates to any other companies (including affiliated companies within our group), you must make a separate request to them to exercise your rights.
9.1 – Under data protection laws, you have the right to make the following requests in relation to your personal information. Please be aware that these rights do not apply in all circumstances. If you seek to exercise one against us we will explain to you at that stage whether or not the right does apply to you based on the facts.
- Access: You have the right of access to your personal information that we hold about you as a data controller (although certain exceptions may apply). In certain instance you may be required to pay a reasonable fee based on our administrative costs and if requesting further copies. You will need to make a separate request and pay a separate fee for each company within the group of affiliated companies whose records you wish to access. This right will enable you to obtain confirmation that your personal data is being processed, to obtain access to it, to obtain other supplementary information and about how it is processed. In this way you can be aware of and you can verify the lawfulness of your processing of your personal data.
- Rectification: You have the right to request that we rectify any inaccurate personal information about you (we also require you to informa us if your personal data is inaccurate or out of date – see paragraph 10.1 below). This includes the right to have any incomplete personal data completed (taking into account the purposes of the processing), including by means of providing a supplementary statement;
- Erasure (‘right to be forgotten’): In certain circumstances, you have the right to request that we erase your personal data. This right is not absolute – it applies only in particular circumstances where it does not apply any request for erasure will be rejected. Circumstances when it might apply include where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, if the processing is based on consent which you then withdraw, when there is no overriding legitimate interest for continuing the processing, if the personal data is unlawfully processed, or if the personal data has to be erased to comply with a legal obligation. Requests for erasure will be refused where that is lawful and permitted under data protection law for instance where the personal data has to be retained to comply with legal obligations or to exercise or defend legal claims;
- Restriction; In certain circumstances you have the right to request that we restrict our processing of your personal information, for instance where you contest it as being inaccurate (until the accuracy is verified); where you consider that the processing is unlawful where this the case; where you request that our use of it is restricted; or where we no longer need the personal data;
- Data portability: You have the right to request that we provide you with a copy, in a machine-readable portable format, of the personal information that you have provided to us, to request that we transmit it directly to another data controller. This right is only relevant where we are processing personal data based on a consent or a contract by automated means; this right is different from the right of access (see above) the types of data you can obtain under the two separate rights may be different; you are not able to obtain through the data portability right and all of the personal data that you can obtain through the right of access;
- Right to object: in certain circumstances you may have the right to object to our processing of your personal information. This right allows individuals in certain circumstances to object to processing based on legitimate interests, direct marketing (including profiling) and processing for purposes of statistics. However, in such a case we may be able to demonstrate that the processing is required on compelling legitimate grounds or for the establishment, exercise or defence of legal claims;
- Rights in relation to some automated decision making about you including profiling (as relevant) if this has a legal or other significant effects on you as an individual. This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention.
- Please note that where we process your information for direct marketing purposes, you always have the right to object to that processing. Furthermore, where we are processing your personal information based on your consent, you have the right to withdraw your consent to the processing at any time. If you do this and if there is no alternative lawful reason which justifies our processing of your personal information for a particular purpose, this may affect what we can do for you. For instance, it may mean that we cannot take into account the data concerning your health in connection with arrears of payments or that you cannot receive any marketing from us about third party products and services and those of our group of companies (as relevant).
You have the right to complain to the Information Commissioner’s Office at any time (see below for more details).
10. UPDATE YOUR DETAILS/PREFERENCES
10.1 – If any data or information we hold about you is inaccurate or out of date then please let us know and this will be corrected where appropriate. Please see section 9.1 above for more details about the right to rectification.
10.2 – To exercise your rights as described in section 9, please contact us as set out at section 16.
11. SECURITY AND CONFIDENTIALITY
11.1 – Appreciating that both privacy security of your information is of the utmost importance, we have implemented technology security policies, rules and measures to protect the personal information we hold about you.
11.2 – We take the steps required by UK data protection law to protect your personal information. However, please be aware that there are inherent security risks of providing information dealing online over the internet and we cannot therefore guarantee the security of any data disclosed online, particularly during transmission from you to us. We ask that you do not provide us with any sensitive personal information online (please see the ‘Sensitive Information’ Section below) unless we specifically ask for this.
11.3 – To help protect your personal information, we take steps where possible to anonymise your personal information where it is not necessary for the information to be identifiable for the purposes of the processing – for example we anonymise your personal information before using it to test our IT systems.
12. SPECIAL CATEGORIES OF PERSONAL INFORMATION
Information about you which is considered special categories of (or ‘sensitive’) personal information under the data protection legislation, includes information about your medical or health conditions, racial or ethnic origin, genetic data, biometric data (for the purpose of uniquely identifying you), political opinions or trade union membership, religious or philosophical beliefs, sex life sexual orientation. (In addition there is a separate category called criminal convictions offences data which may be relevant if fraud or other crimes are suspected). (Please note that financial information is not considered by data protection legislation to constitute a special category of information). If we need to process special categories of personal information about you, you will be notified of such processing asked to specifically agree to the use of such information as appropriate. Otherwise we ask that you do not provide us with such information where we do not request it, for example in emails to us or on telephone calls.
13. TELEPHONE CALLS
If you call any of the telephone numbers quoted in our literature or in correspondence, we may record your call. These recordings are used for training, regulatory and quality control purposes to ensure that we continuously monitor improve our customer service standards.
This policy only applies to personal information collected or obtained by us when you apply for a product in-store, unless otherwise indicated in this policy.
16. CONTACT DETAILS
- By email at email@example.com ; or
- By post at Hopkins & Jones Limited, 88 Fleet Street, London EC4Y 1DH.
You have the right to lodge a complaint about our processing of your personal information with the Information Commissioner’s Office (https://ico.org.uk/) who is the supervisory authority who regulates our processing of your personal information in compliance with data protection laws.