1. ABOUT THIS POLICY
Your privacy is important to us and we want you to feel comfortable with how we use, share and process your personal information. This policy sets out how we handle your personal information, including when and why it is collected, used, processed, disclosed and how it is secured. Our contact details are at the end of this policy which you can use if you have any questions, including how to update or access your personal information or to make a complaint. This policy may change, so please check this page from time to time to ensure that you’re happy with any changes. This policy was last updated on 25 November 2019.
2. WHO WE ARE
Where this policy refers to “we”, “our” or “us” below, unless it mentions otherwise, it’s referring to FCA Automotive Services UK Ltd. FCA Automotive Services UK Ltd is part of the FCA Bank Group and our corporate structure is here. You can find our contact details here. We are usually the controller of your personal information. A ‘controller’ is a company that decides why and how your personal information is processed.
For some activities, we are joint data controllers – this means we share control of your personal information with others as follows:
- When you provide your personal information to your dealer before they propose your finance application to us, your dealer is the data controller. They may also process your data on their own IT/paper systems. We are not responsible for this. We are responsible for any of your personal information we receive from the dealer.
- Both we and your dealer are joint controllers of your personal data up to the point you take delivery of your vehicle.
- For marketing purposes, FCA Automotive Services UK Ltd and your dealer are joint data controllers (see Marketing below).
3.HOW AND WHAT PERSONAL INFORMATION WE COLLECT
We may collect and process the following personal information about you:
- Personal information you give to us: this is information about you that you give to us by entering information on our websites, social media pages, corresponding with us by phone, email or otherwise and is provided entirely voluntarily. It also includes information provided to your dealer when purchasing a vehicle or financial product (including making enquiries about purchasing a vehicle or financial product). We record all of our telephone calls for the performance of our contract with you. The information you give to us includes your name, contact details (such as phone number, email address and address), banking details, and enquiry details and may include your opinions about our products.
- Personal information we collect about you: we may automatically collect the following personal information: our web servers store as standard details of your browser and operating system, the website from which you visit our website, the pages that you visit on our website, the date of your visit, and, for security reasons, e.g. to identify attacks on our website, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies – please see Cookies in Section 9 for further information. We may also collect any personal information which you allow to be shared that is part of your public profile on a third party social network.
- Personal information we may receive from other sources: we obtain certain personal information about you from sources outside our business which may include our dealers or other third party companies. The personal information received is as described above.
- Special categories of personal data: this is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not routinely process such data about you but during the performance of our contract with you, we may receive such data about you and process it.
4. HOW WE USE YOUR PERSONAL INFORMATION
4.1. Where required to perform a CONTRACT with you
We may use and process your personal information where it is necessary for the performance of a contract with you or in order to take steps, at your request, before entering into a contract with you, including for the following purposes:
- When you enquire about our financial products and services
- When you are a customer of one of our financial products or services
- When we make reasonable enquiries to assess your credit application and to confirm your identity (see Section 5.6 on Credit Reference Agencies)
- We may from time to time share your personal data with some of our suppliers (see Section 5.2 on Our Suppliers and Service Providers)
4.2. Where there is a LEGITIMATE INTEREST
We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business for the following purposes:
- for analysis, and profiling to inform our marketing strategy, and to enhance and personalise your customer experience
- for market research in order to continually improve the products and services that we and our authorised dealers deliver to you
- to administer our websites and for internal operations, testing, statistical purposes and pricing
- for marketing activities (other than where we rely on your consent) e.g. to tailor marketing communications or send targeted marketing messages via social media and other third party platforms
- for the prevention of fraud, crime and money laundering
- to undertake credit checks for finance
- to correspond and communicate with you
- to create a better understanding of you as a customer or visitor
- for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access
- to comply with a request from you in connection with the exercise of your rights, for example, where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request
- for the purposes of a corporate restructure or re-organisation or sale of our business or assets
- for efficiency, accuracy or other improvements of our databases and systems e.g. by combining systems or consolidating records we or our group companies hold about you
- to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings
- for general administration including managing your queries, complaints, or claims.
- It may be necessary from time to time share your personal data with our regulators including, the Financial Conduct Authority and the Information Commissioner’s Office.
4.3. Where you have provided CONSENT
We may use and process your personal information where you have consented for us to do so for the following purposes:
- to enable us to carry out a credit reference search (see section 5.6)
- to enable us to process special categories of personal data (see section 3)
- for direct marketing purposes where you have chosen not to opt-out of receiving marketing communications (see section 10).
4.4. Where required to comply with our LEGAL OBLIGATIONS
We will use your personal information to comply with our legal obligations including:
- to assist HMRC, the Police, the Driver and Vehicle Licensing Agency (DVLA), any other public authority or criminal investigation body
- to identify you when you contact us, and
- to verify the accuracy of data that we hold about you.
4.5. Where it is in your VITAL INTEREST
We may use your personal information to contact you if there are any urgent safety or product recall notices to communicate to you or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you. It is in your vital interests for us to use your personal information in this way.
5. OTHERS WHO MAY RECEIVE OR HAVE ACCESS TO YOUR PERSONAL INFORMATION
5.1. Group companies
We may share your information with other companies within the FCA Bank Group. This rarely happens and would usually be for reporting or statistical purposes or as part of our investigation of a complaint.
5.2. Our suppliers and service providers
We may disclose your information to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include IT services providers, Credit Reference Agencies (see section 5.6) and administrative services or other third parties who provide services to us. A list of our main suppliers is available here. When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their services and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
5.3. Authorised dealers in our network
We work with a number of dealers around the UK. They may use your personal information in connection with the financial products and services you take out with us. Here is a list of our dealers.
5.4. Third parties who provide products and services
5.5. Other ways we may share your personal information
We may transfer your personal information to a third party as part of a sale (or a preparation for sale) of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
We may also transfer your personal information if we’re under a duty to disclose or share it in order to comply with any legal obligation (e.g. by sharing your personal information with the DVLA or our regulators), to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers. However, we will always take steps with the aim of ensuring that your privacy rights continue to be protected.
5.6. Credit Reference Agencies (CRAs)
We will share your personal information with credit reference agencies in the following circumstances:
- As part of our investigation into whether our finance products are suitable for your needs
- If we are concerned you have provided inaccurate data
- If we suspect fraud
- If we want to verify your identity
- If we require to carry out reasonable investigations during your Agreement
Before we submit your personal data to the CRAs, we require your consent and your dealer will discuss this with you.
Unfortunately, if you do not consent, we are unable to underwrite your application so your application for our product(s) will proceed no further. During the underwriting process, we will share your personal data with Experian and Equifax. If you electronically sign your finance agreement, we will share your personal data with TransUnion.
These credit reference agencies will also share data about you with other companies and organisations. Full information on how CRAs process your data is available here. This is known as the Credit Reference Agencies Information Notice (“CRAIN”) and a printed copy is available from your dealer.
5.7. Fraud Prevention Agencies
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed, for example: name, address, date of birth, address, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above. Further information regarding automated decisions is provided under section 8.6 of this policy.
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
For more information or to exercise your data protection rights please, please contact us using the contact details above.
You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.
6. WHERE WE STORE YOUR PERSONAL INFORMATION OUTSIDE THE EEA
All information you provide to us may be transferred to countries outside the UK and the European Economic Area (EEA). We are working with some third party service providers who are located in a country outside of the UK and the EEA (for example some of our IT providers have service centres in Australia, Canada and India). These countries may not have similar data protection laws to the UK. In such cases, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on these providers, including the appropriate model contractual clauses that aim to ensure adequate protection. Please contact us using the details at the end of this policy if you would like more information about the protections that we put in place. If you use our services whilst you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
7. HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We have documented this in our Data Retention Policy. We do not retain personal information in an identifiable format for longer than is necessary. We may need your personal information to establish, bring or defend legal claims, in which case we will usually retain your personal information for 6 years after the last occasion on which we have used your personal information in one of the ways specified in How we use your personal information Section 4. The only exceptions to this are where:
- the law requires us to hold your personal information for a longer period, or to delete it sooner
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this policy, or because we are required under the law (see further, Erasing your personal information or restricting its processing in Section 8.7 ), and
- in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.
8. YOUR RIGHTS
8.1. Your ‘data subject’ rights
You have a number of rights in relation to your personal information under data protection laws. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.
We will aim to deliver the data you request, however it may not always be possible. If your request is excessive or unfounded or would require a disproportionate effort to meet, we may charge a reasonable fee. Unfortunately in some cases we may not be able to provide with all of the data you request. If that happens, we will explain why.
8.2. Accessing your personal information
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us (contact details here). We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.3. Correcting and updating your personal information
8.4. Withdrawing your consent
Where we rely on your consent as the legal basis for processing your personal information, as set out under How we use your personal information in Section 4, you may withdraw your consent at any time by contacting us using the details here.
If you would like to withdraw your consent to receiving any direct marketing, please refer to Marketing in Section 10.
8.5. Objecting to our use of your personal information
Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), as out under How we use your personal information in Section 4, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy.
Except for the purposes for which we are sure we can continue to process your personal information, we will usually temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
8.6. Automated decisions made about you
When we underwrite our customers, as part of our investigations and assessments into the suitability of our finance products for them, we may automatically accept or decline your application based on a set of predefined criteria.
We also use automated data processing to assist in compliance with our legal obligations in connection with prevention of money laundering, fraud and terrorist financing, for example, to screen for suspicious transactions.
You may contest a decision made about you based on automated processing and request a natural person to make this decision, by contacting your dealership. If your finance application is automatically declined, you will be provided with details on how to object.
8.7. Erasing your personal information or restricting its processing
In certain circumstances, you may ask for your personal information to be removed from our systems by contacting us using the details here. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request. You may also ask us to restrict processing your personal information in the following situations:
- where you believe it is unlawful for us to do so
- when you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so; for example, for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
8.8. Transferring your personal information in a structured data file (data portability)
Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under Section 4 How we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly-used and machine-readable form, such as a CSV file.
You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.9. Complaining to the UK data protection regulator
You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details.
9.1. Security measures we put in place to protect your personal information
We use technical and organisational security measures to protect the personal information supplied by you and managed by us against manipulation, loss, destruction, and access by third parties. Our security measures are continually improved in line with technological developments. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information whilst in transit to our website and any transmission is at your own risk. Where we have given (or where you have chosen) a password which enables you to access an account, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
9.2. Use of 'cookies'
'Cookies' are small pieces of information sent to your device and stored on its hard drive to allow our websites to recognise you when you visit. Information on the cookies that we use and their features can be found here.
9.3. Links to other websites
9.4. Social plugins
We or our marketing agents may contact you with targeted advertising delivered online through social media and platforms (operated by other companies) by using your personal information, or use your personal information to tailor marketing to improve its relevance to you, unless you object.
For marketing purposes, FCA Automotive Services UK Ltd and your dealer are joint data controllers. Together we rely on our legitimate interests to market similar products and services to you.
When you sign your finance agreement, you are giving each of us your permission for the duration of your Agreement to communicate with you about products and services we each may think are of interest to you. You may opt-out of receiving marketing communications before you sign the agreement or at any time afterwards.
Each of us may contact you by telephone, email, SMS and post. We may also analyse our customer databases to enable us to do targeted marketing (known as ‘profiling’).
SMS, telephone and email are known as ‘electronic marketing’ and we are required to ask your permission to communicate with you in these ways. Before you sign your agreement, you will be given an opportunity to opt-out. If you did not opt-out at the time you signed your agreement with us, we regard your permission to electronic marketing to be valid for the entire duration of the agreement. Of course, you may opt-out at any time.
When you signed your agreement with us (unless you opted-out), you gave us permission to market to you by telephone, email, SMS and post. If you would like to change these communication preferences please let us know.
From time to time we carry out marketing activities which are targeted towards a selected group of customers. In order to select those customers, we may use what is known as ‘profiling’, for example selecting our customers by age, gender or location.
10.3. Opt out from marketing communications
As well as being given the opportunity to opt-out when you signed your agreement, you may opt-out of marketing communications at any time in the following easy ways:
Customer Area: if you are registered to use our customer self-service portal, you may use it to update your marketing preferences at any time
Telephone: please call us at 0344 5614738
Post: please write to us at this address – PO Box 4465, Slough, SL1 0RW
We may collect your preferences to send you marketing information directly from us by email / post / telephone / SMS, if you request a quote for one of our products or services on our websites (FCA Automotive Services UK Ltd and our brands’ websites).
10.5. Use of suppliers and agents to communicate with you for marketing purposes
We have appointed many of our dealers and Fiat Chrysler Automobiles UK Ltd as our processors to carry out marketing activities on our behalf. They may contact you if we ask them to but only if you have not opted out of marketing communications.
Please note, you may be invited by FCA Italy SpA to consent to future marketing communications from the FCA group. FCA Italy SpA acts as data controller in their own right, and this is separate and independent relationship from us (FCA Automotive Services UK Ltd) or your dealer.
11. CHANGES TO THIS POLICY
We may review this policy from time to time and any changes will be published on our website. We may also contact you by email. Any changes will take effect 7 days after the date of our email or the on the date on which we post the modified terms on our website, whichever is the earlier. We recommend that you regularly check for changes and review this policy when you visit our website.
If you have any queries about any aspect of our policies, please do not hesitate to contact us.
12. CONTACT OUR DATA PROTECTION OFFICER
If you want to contact us about anything in this policy or for any further query, please contact our Data Protection Officer (DPO) at:
Telephone: 0344 5614738; one of our customer service team will answer and will redirect the call to the DPO
Post: PO Box 4465, Slough, SL1 0RW, indicating “for the attention of the Data Protection Officer”