Creditlink Account Recovery Solutions Limited (CARS) is committed to protecting and respecting your privacy, and this document explains how we look after your personal data and make sure that we meet our legal obligations to you under the UKGDPR and other data protection rules.
Our contact details
Email: Admin@carsuk.org
Phone: 01256 306798
Post: The Data Protection Officer, Creditlink Account Recovery Solutions Ltd, Midpoint, Alencon Link, Basingstoke, RG21 7PP
The lawful basis for processing your personal data
The processing of your personal data is necessary for us to fulfil our obligations under the agreement which is in place with you (even where you did not enter into it with us directly) and to comply with our other legal obligations. We may also process your personal data for the purposes of pursuing our legitimate interests, including debt purchase, debt sale, debt recovery and for the promotion of responsible lending and the prevention of fraud and crime.
Purpose of processing
CARS may use your personal information for its debt collecting, debt purchasing, and debt sale activities. This may include the following:
- verifying your identity;
- contacting you via telephone, email, text, written correspondence, and allowing you to communicate with us through live chat services
- tracing you if you have moved address;
- reporting to credit reference agencies (CRAs) and fraud prevention agencies (FPAs);
- administering and managing your account;
- sharing your personal data with group entities that undertake account administration and debt pricing tasks for the purpose of debt collection and debt purchase;
- sharing your data with appropriate third parties that provide debt collection, tracing and litigation services, data backup, and storage services;
- statistical analysis for debt pricing;
- enforcing the debt, including using litigation and other methods;
- compliance with any legal or regulatory obligation applicable to us;
- adhering to our anti-money laundering procedures; and
- internal quality assurance testing to ensure our staff are adhering to internal procedures, customer requirements, best practice, legal and regulatory requirements
Categories of personal data
It is likely that you will have shared your personal data with our associates with whom you originally entered into the agreement (Our clients and Debt sellers) to purchase items or services from them. You may also share your personal data with us over the phone, by email or by letter.
The categories of personal data we process are as follows:
- your name;
- your date of birth;
- your address;
- your email address;
- IP address (To facilitate live chat);
- your telephone number(s);
- your account or reference number;
- your account balance;
- your account history (including notes, live chat content, purchase and payment history);
- credit reference agency data;
Special categories of personal data
The GDPR defines certain personal data as “special categories of personal data”, which includes data relating to your health.
From time to time we may need to process information about your mental or physical health; this is to ensure we meet our obligations in respect of the sensitive treatment of potentially vulnerable consumers.
You have no statutory or contractual obligation to provide us with any of your special categories of personal data, such as details of bad health, but refusing to do so could mean that we would not be able to manage your account according to your needs.
We may use data concerning your health for the purposes of:
- recording your health issues on your file, allowing us to manage your account more appropriately; and
- Sharing your health information with the company you originally obtained the item or service from to facilitate understanding and decision-making which is suitable in respect of your needs.
We will always obtain your explicit consent to record and share this information for the above purposes and you have the right to request its deletion.
The right to withdraw consent
When we process your personal data on the basis that you have provided consent for us to do so, you have the right to withdraw that consent. You can withdraw consent to us processing your personal data at any time by contacting us using one of the methods specified above. If you change your mind about agreeing to us processing your information, this will not have any effect on the lawfulness of the processing we have carried out before you change your mind.
Sharing your data with service providers
In order to conduct our business, we may share your personal data with organisations that offer us support and services such as:
- contact solution providers for the purpose of contacting you by telephone, letter, email or text in order to collect debt, or following a debt sale or purchase;
- credit reference agencies and trace bureaus to assist us in recovering debt;
- our system of record technical support to allow them to maintain and repair the system when required;
- other debt collection agencies;
- our legal advisors, for the purposes of seeking to enforce the debt or other legal matters relevant to your account;
- we may also share your personal data with other entities within our group to enable debt pricing and debt purchase; and
- offshore call centre service providers
- quality assurance provision
Sharing your data with CRAs and FPAs
CRAs collect and maintain information on consumers’ and businesses’ credit behaviour on behalf of organisations in the UK. FPAs collect, maintain and share information on known and suspected fraudulent activity. Some CRAs also act as FPAs. We share information about you, members of your household and those to whom you are linked financially with CRAs and FPAs and may carry out periodic searches with them to verify your identity, manage your account, prevent and detect crime and fraud and carry out a credit reference check.
Details of your agreement with us will be sent to CRAs and FPAs and recorded by them. This information may be supplied to other organisations by CRAs and FPAs and may be used and searched by us and other organisations, such as debt collection agencies, in order to:
- consider applications for credit and credit related services, such as insurance, for you and any associated person;
- prevent or detect money laundering and fraud;
- trace debtors and recover debts; and
- manage your accounts.
When CRAs receive a search from us they place a search “footprint” on your credit file whether or not the application proceeds. Records remain on file with CRAs and FPAs for 6 years after they are closed, whether settled by you or defaulted. You have a right to be told which credit reference agencies we have used and obtain a copy of your file from CRAs.
The contact details of the CRAs we use are:
Transunion, Red Lion Buildings, 12 Cock Lane, London, EC1A 9BU https://www.transunion.co.uk/
Experian, The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ https://www.experian.co.uk/
Further information about CRAs and how they use personal information is available at http://www.experian.co.uk/crain/index.html]
Sharing your data outside of the European Economic Area
It is possible that your personal data may be shared with other entities within our group that are based in the USA; the group is collectively known as JCAP. JCAP complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Please visit https://www.dataprivacyframework.gov/. We also utilise an Intragroup Data Sharing Agreement which contains all appropriate Standard Data Protection Clauses which allow the entities within our group to share your personal data with each other.
We may share your personal data with service providers based in countries outside the UK and EU which do not have an adequacy decision. In these circumstances we will ensure there are appropriate safeguards in place including International Data Transfer Agreements which contain applicable Standard Data Protection Clauses.
How long will we process your personal data for?
Call recordings will be retained for 6 months. We will retain any other personal data for a period of 6 years after your account has been closed.
Your rights
Under the GDPR you have the following rights in respect of your data:
- The right to be informed – We should explain how your personal data will be processed. This can be in the form of a fair processing notice.
- The right of access – You have the right to request access to your personal data being processed; you do not have to pay a fee for this unless we have previously supplied the requested data to you. We must provide you with the data no later than one month after the request.
- The right to rectification – You have the right to request that we correct inaccurate or incomplete data about you.
- The right to erasure – In certain circumstances you have the right to request that we delete your personal data.
- The right to restrict processing – In certain circumstances you have the right to restrict the processing of your personal data.
- The right to data portability – In certain circumstances you have the right to receive your personal data from the controller in a format that suits you, or you can request that we transmit it to another controller.
- The right to object – In certain circumstances you have the right to object to the processing of your personal data.
- Your rights in relation to automated decision making and profiling – In certain circumstances you have the right to not be subjected to a decision based solely on automated processing.
The right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with our supervisory body. If you wish to do so, please contact the Information Commissioner’s Office (ICO), Tel: 0303 123 1113, website: https://ico.org.uk/.
Where did your personal data come from?
We obtain your personal data from our clients and yourself. We may also receive your personal data from trace companies and CRAs.
November 2023