This Data Privacy Notice for Loan Customers provides information on the following:
- Fi-nest as a Data Processor
- Personal Data: Definition
- Our lawful bases for processing your data
- How we process personal data
- Types of personal data we process
- Where we obtain personal data
- How we store data
- How long we store personal data
- Who we share personal data with
- Special Category data
- Accuracy of personal data collected
- Your rights as a data subject
- How to make a complaint
- Compliance and updates to this Privacy Notice
Fi-nest as Data Processor
Fi-nest Ltd, as a third party loan administrator, is the data processor for our Lender Clients’ (Data Controller) customer data and takes seriously the safeguarding of that data. In our capacity as loan administrator we collect, maintain and keep secure certain personal information related to the Lender’s loan contracts with their loan customers for the purposes of carrying out activities for, and in relation to, loan administration, including any processes required in order to comply with current regulations in force. Any personal data that is shared, is done so solely with parties relevant to, and for the purposes of, loan administration processes.
There may be specific circumstances in which we would require your consent in order to collect, share or otherwise process certain personal data, which shall be explained in the event that any such circumstance arises. For further details on this please read, in particular, the section on Special Category Data, below.
Personal Data Definition
Personal Data refers to any information a company collects, records, shares or otherwise processes relating to an individual which can then be used to identify that person, whether by location (address) or other personal information pertaining to that individual (name, e-mail address, image or insurance number, for example) which has the effect of either directly or indirectly identifying them.
Our lawful bases for processing your personal data
The General Data Protection Regulations 2016 (GDPR), currently in force, set out certain requirements in terms of the legitimate reason(s), referred to as “lawful bases”, a company needs to be able to demonstrate in order to be legally entitled to process personal data.
The following reasons explain our lawful bases for the processing of personal data:
Performance of a Contract
Our lawful basis for processing personal data, for the most part, is that it is necessary in order to carry out the loan administration services we provide, required for performance of the loan contract entered into by the individual whose personal data we process, on behalf of the Lender (the data controller).
Some aspects of loan administration require the processing of personal data in order to fulfill a legal or regulatory obligation, such as: the processing of data in order to send interest statements, or to provide information to a solicitor for Land Registration purposes, or the obligation to retain records containing personal information for certain prescribed periods of time, in accordance with the FCA (Financial Conduct Authority) regulations in force. Other instances in which processing of data is necessary to comply with a legal obligation would be in the case of any requests from a legitimate legal authority for the purposes of an enquiry, for example in relation to fraud or crime prevention or detection.
From time to time, at a lender’s discretion and not on a frequent basis, information may be sent to a loan customer offering the customer a discount on their existing loan sum for a limited period of time. We believe that this is information that customers will want to receive, wherein the processing of data in order to make contact in writing, with details of such an offer, in terms of a lawful basis, constitutes a Legitimate Interest. However, if you would not like to receive details of any occasional ”promotions” of this type, you do have the right to object to us processing your data for this purpose. Please see the section on Your Rights, below, for further information on how to contact us to let us know that you do not wish to receive any such details, and also on your other rights as a data subject.
In certain very specific circumstances there may be occasions where we would need to ask for a loan customer’s consent in order to collect, share or otherwise process certain sensitive personal details. An example of such a case would be:
In line with our policy for the treatment of vulnerable customers, we may wish to collect certain sensitive data (known as Special Category data) related to a customer’s mental health, should it become apparent that there may be difficulties, in relation to repayment of the loan, due to a mental health condition which is affecting a customer’s capacity to manage their financial affairs.
In this scenario, the information would be collected in order to assess or review possible courses of action in relation to the repayment of the loan. Without the customer’s consent to collect such data it is unlikely we would have sufficient information in order to be able to carry out an evaluation in this regard. For further information, please see the section below, regarding Special Category Data.
Having provided consent, a customer has the right, at any time to withdraw it. Please refer to the section below on “Your Rights” for further information on withdrawing consent.
How we process personal data
Fi-nest receives, stores, collects, updates and, where necessary, shares with appropriate parties, personal data solely for the purposes of carrying out the administrative activities necessary for the performance of the loan contracts that we administer on behalf of the Lender (Data Controller) including, where necessary, the processing of data in order to fulfil any legal obligation.
Types of personal data we process
Information that we hold or may hold, or may collect from the Lender, the loan customer, or other sources, depending on the loan administration activities performed during the life of the loan, include:
- Name, Address, telephone number(s) e-mail address, including details of any other party to be added to the loan agreement.
- Details of the loan agreement
- Certain basic financial statistics pertaining to a current or proposed first mortgage
- Certain information on a loan customer’s current financial status, when specifically required for the purposes of a Lender assessment and/or review of decisions linked to repayment or postponement of the loan.
- In very specific circumstances, where appropriate: details related to a loan customer’s mental health condition, where it impedes their ability to handle their financial affairs.
Where we obtain personal data
The personal data that we process is supplied to us initially by the Lender, (Data Controller) and subsequently updated or amended from time to time and wherever necessary by information supplied by the loan customer themselves or by their legal or financial representative, during the course of any administrative activity we perform on behalf of that loan customer.
We may collect personal data from a loan customer during the loan term, in order update, amend or complete certain information we hold or to assess, review or perform a specific loan administration activity where further information is required in order to provide that service, in accordance with and pertaining to the loan’s terms and conditions.
Examples of the above would be information we collect from a loan customer or their solicitor, or broker, for the purposes of effecting a transfer of equity, or providing our consent to a remortgage request.
Further sources of publicly available information which may be accessed and used to maintain, amend or complete certain personal data that we hold, could be for example: The relevant local Land Registry records or website.
Data is stored securely
Personal data pertaining to loan contracts we administer are stored electronically on our secure internal server, equipped with SonicWall firewall security and 256bit encryption, and subsequently backed up to a GDPR compliant Cloud based server in Ireland, providing additional encryption, for the purposes of storage and retrieval.
We also hold, in some cases, hard copies (paper files) of certain documents containing personal data pertaining to loan contracts for our record keeping purposes. These hard copies are stored securely in our locked and alarmed premises and are kept for a period of time necessary for the completion of administrative work over the loan term, or longer, as required by law to fulfill certain regulatory obligations, then returned to the Lender (Data Controller), for their safeguarding.
How long we store personal data
Personal data is stored at least until the loan is repaid, thereafter data which has been held electronically is retained (stored securely) for our records and may be accessed for any post-redemption queries or review relating to the specific loan contract, but not otherwise processed, unless we have any legal obligation to do so, for example to comply with any regulation currently in force regarding retention of records, or for the prevention or detection of fraud by a legitimate legal body. Any data which is stored as hard copy (paper files relating to loan charges, for example) is returned to the Data Controller within approximately one year of the loan having been repaid, for their safeguarding.
Who we share data with
Fi-nest shares personal data only with those parties necessary for the processing activities carried out in our normal day to day business services related to loan administration and redemption, and solely for this purpose. In general this would involve the sharing of information with: a legal professional acting on the customer’s behalf during the term of the loan and the Lender or Lenders (the Data Controller(s)) and, where necessary depending on the loan administration activity, a customer’s mortgage broker, First Lender, valuer, or executor to a will. Only with a loan customer’s prior consent, and at their request, would we share or discuss any personal information with, or request information from, a personal representative acting on behalf of that customer, for example a Power of Attorney or other appointed representative. Where any printed materials in connection with the administration of a loan are to be provided to a customer which cannot be supplied by Fi-nest directly, Fi-nest ensures that our third-party printer supplier is also compliant with the current data protection and privacy regulations in force.
In summary: Fi-nest will never disclose personal data to any parties not directly connected with the performance of our services as loan administrators for the loan contract, other than in circumstances where we are legally obliged to do so. *(See below)
*Circumstances in which we do not require consent in order to share personal data
In accordance with GDPR 2016, wherever we are required by law to supply personal data to a relevant legal authority in compliance with a legitimate legal due process, such as those associated with crime or fraud prevention and detection, or where the processing of data is necessary in order to defend ourselves against any legal claim, we will do so without the need to ask for consent from the data subjects.
Special Category Data
In most cases it is highly unlikely that that we would process any type of special category data (Personal details pertaining to race, religion, political beliefs and health, among other types of information deemed sensitive in nature) for the purposes of loan administration. However in the specific situation where a loan customer, due to a mental health condition, may be unable to manage their financial affairs, or where they have appointed a personal representative to act on their behalf in relation to such matters, we may, following MALG (Money Advise Liaison Group) Mental Health and Debt Guidelines, request the customer’s consent to collect some information related to their mental health, either from the customer themselves, their appointed representative and / or their healthcare professional. This information would be collected as part of our policy for the treatment of vulnerable customers and processed in order to assess the level of impairment with respect to the customer’s ability to deal with financial matters concerning the loan.
Prior consent will always be sought in order to collect any such details and any information which constitutes special category data will be safeguarded and only processed in the course of our loan administration activities, for the purposes of ongoing loan assessment or review. This information may be shared with the Lender in their capacity as data controller. Please see also “Withdrawal of Consent” in the section entitled “Your rights as a data subject“, below.
Accuracy of personal data
Data processed in our day to day business activities of loan administration is, as far as we can reasonably assume, accurate insofar as it comprises information that we are originally provided with by the Data Controller (Lender) when we take over the administration of their loans. However we will, whenever notified by the customer or their legal representative, or where it becomes apparent from another source, for example Land Registry records, that a piece of data requires updating or amending, we shall amend our records accordingly.
For more information on your right to rectify inaccurate or incomplete data, see the below section entitled “Updating or correcting your data”
Your rights as data subject
Under GDPR 2016 regulations, data subjects have certain rights in respect of the processing of their personal data by a company. These rights are not always absolute however, as they only apply in certain circumstances, as explained below.
Details of your other rights in respect of the personal data that we process and how to contact us about them are set out below:
Updating or correcting your data
You have the right to ensure that any personal data processed is accurate, up-to-date and complete. If you need to update any piece of data related to your loan account, for example your contact details, or where there has been a change of surname due to marriage or divorce, or to advise us of any inaccuracies in the data we hold, or that details may be missing or incomplete, kindly contact us by phone on 01590 670226 or by e-mail at: email@example.com. We may ask for evidence, depending on the personal details to be amended.
You should expect a response within 30 days, although it would usually be dealt with be sooner.
Accessing your personal data
You can request that we provide you with details of the personal information we hold about you and which we process on your behalf for the purposes of administering the loan contract. If you would like a copy of this information, please contact us at: firstname.lastname@example.org. We will need to identify you as a party to the loan prior to providing any information.
You should expect to receive a response within 30 days of receipt of your request, though usually sooner.
Having your data erased
Under the GDPR 2016, in certain circumstances, data subjects have the right to request the erasure of the personal data that a company holds on them, usually referred to as “The right to be forgotten”, however this right is not absolute and may not be granted for any of the reasons outlined below.
- Where we have a valid lawful basis to retain the data: e.g. where the provision of our services pertaining to the loan contract requires the processing of your personal data,
- Where we are legally bound to retain the data, in accordance with any regulations currently in force, for instance to comply with certain record keeping requirements.
- Where the processing is necessary for the establishment, exercise or defence of any legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
If you would like to request that we erase your personal data, kindly e-mail us at: email@example.com detailing the reasons for your request, however please note that we may not be able to oblige for any of the above reasons. You should expect a response from us within 30 days of your request, though usually sooner.
Restricting the processing of your data
In certain circumstances a data subject will have the right to request that usage of their data be suppressed (restricted), which means that processing would be limited solely to storage of the data, which cannot therefore be altered, destroyed or processed in any other way for the period of restriction.
This right to request that your data is restricted would exist if any of the following situations apply:
- You are contesting or questioning the accuracy of the personal data we hold and we are therefore in the course of verifying the accuracy of the data;
- The data has been unlawfully processed (in breach of the lawful basis requirement of the first principle of the GDPR) and you oppose erasure and request restriction instead;
- We no longer need your personal data but you want us to keep it in order to establish, exercise or defend a legal claim; or
- You have exercised your right to object to us processing your data and we are considering whether our legitimate grounds override your own. (See below, for information on the right to object)
To request that processing of your data be restricted, in any of the above circumstances, kindly contact us at firstname.lastname@example.org, detailing the reasons for your request. You should expect a response within 30 days, though usually sooner. Any restriction granted may be temporary, and you would be informed prior to the lifting of a restriction.
Once data has been restricted, we would be limited to storage of your data only, unless any of the following circumstances are true:
- We have subsequently obtained your consent to process the data;
- Processing is necessary for the establishment, exercise or defence of legal claims;
- Processing is necessary for the protection of the rights of another person (natural or legal); or
- Processing is necessary for reasons of important public interest.
Withdrawal of consent
Where we have received a loan customer’s consent for the processing of any sensitive personal data, the customer may also subsequently withdraw their consent at any time, which would mean Fi-nest would not then be permitted to further process the data provided, except in the circumstances where, in accordance with GDPR 2016:
- The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Details on how to withdraw consent will be provided at the time of us seeking consent, however please contact us at email@example.com, or by phone on 01590 670 226 for further information, or to withdraw your consent for any prior consent you may have granted.
Objecting to the processing of your data
Data subjects have, in certain circumstances, the right to object to their data being processed under GDPR 2016. In most instances though, since the processing of personal data by Fi-nest is necessary for the purposes of loan administration and for the other reasons stated above in our Lawful Bases section, it would not be applicable.
However, to contact us specifically to object to us sending information pertaining to “promotions” (Limited time offers run by a Lender, concerning a discount on the loan sum repayable), please get in touch with us at firstname.lastname@example.org and we will respond, within 30 days, to confirm that details of discount periods will no longer be sent to you.
Making a complaint regarding processing of your data
If you feel that your rights or freedoms have been infringed by our use of your personal data, in the first instance please contact us at: email@example.com detailing your specific concerns, in order that we may assess your complaint and provide a response within a reasonable time period, usually within 15 working days of receipt of your complaint.
You also have the right to refer your complaint to the Information Commissioner’s Office (ICO) which is relevant the supervisory authority. So, should you feel that a complaint that you have raised with Fi-nest has not been handled to your satisfaction, you should direct your complaint to the ICO, contact details for which can be found on their website here, whilst further information regarding complaints or concerns in general can be found here.
Fi-nest are committed to compliance with all relevant EU and UK laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect, store and process, in accordance with the EU General Data Protection Regulation (GDPR) 2016.
Fi-nest has carried out an internal assessment of our business processes, systems and activities with regards to the ICO (Information Commissioners Office) detailed guidelines on GDPR in order to ensure our compliance with the regulations currently in force, with a detailed documented analysis. Following this analysis we are confident that Fi-nest’s processing of personal data is compliant with the GDPR.
Our ongoing commitment to data safety and security
Reviewing and, whenever necessary, updating our procedures, practices and systems, in order that we remain compliant with current regulations in force is part of our ongoing commitment to the processing and safeguarding of Personal Data. This Privacy Notice will be updated in line with any changes to the way in which we process personal data, in accordance with all applicable regulations.
Updated on 24/05/2018