BROWN & GOLD LTD
1 Introduction
We are a Consumer Credit Business licensed by the FCA Ref number 739411
We are registered with the ICO for Data Protection ref number ZA360020
We do not require a Data Protection Officer because we are a small business with relatively small amounts of data stored. However our Director is the key contact for data protection.
Under FCA SYSC requirements we also have a senior manager who takes responsibility for data, their title is Directors Secretary.
2 Basis of Processing Data
We retain data and relevant information about our customers on the following basis;
Pawnbroking- Legitimate Interest- We process - proof of name, address complying with AML requirements. We ask for passport or driving license/ utility bill for all new customers and apply due diligence as per our AML policy.
Pawnbroking-Marketing soft opt in- We use a soft opt in for marketing. This means that unless the customer ticks the box on contract note 6 of their Pawn Contract we may send them relevant marketing e mails and contact them as per article 22 of the PECR (Privacy and Electronic Communications Regulations), on the basis that;
• we have obtained the contact details in the course of a pawn contract
• we are only marketing their own similar products or services; and
• we gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
Other activities
[For marketing through third parties and for CRAs (Credit Rating Assessments) we specifically request Consent of the customer, and they must opt in by signing our privacy statement ]
CCTV- is retained for one month as part of the legitimate process of preventing crime. Footage is shared with police on request to help ongoing investigations.
3. Data Controller
We Brown & Gold Ltd are the Data Controllers, and are responsible for all personal information retained, and are subject to audit by the Information Commission Office (ICO). We do not share our data with 3rd parties.
4. Disclosure
The pawnbroking customers are made aware at point of transaction how, where and with whom their information will be shared.
Adequate Explanations
There is standard information that our staff always read out to customers. We state to them before any information is taken;
Please read our privacy notice carefully, this explains what personal information we require about you to enter into and manage our agreement with you and for our legitimate interests (for example preventing fraud). It also explains how we may acquire, use and share that information and what rights you have regarding the data we hold about you. We may send you marketing communications unless you opt out of receiving them (see the tick box on note 6).
We Show the Customer Our Privacy Notice
We show every customer the privacy notice before any pawn transaction via a laminated privacy notice on the Counter. Since the basis for processing data is Legitimate Interest ( a pawn contract) the customer is not required to sign this.
Every contract has a Data Processing Clause (no. 6 on back of pawn contract)
This is a shortened version of the privacy notice but also has a soft opt in for marketing.
6. Data protection
The personal information we collect about you is used by us to fulfil our statutory obligations, to administer your agreement(s) and contact you, and when otherwise required by law or where permitted by Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). You will have already seen our privacy notice. It is important that you provide us with accurate information. If you provide false or inaccurate information or we suspect fraud, this information may be recorded. We will retain your data for six years after our account with you is closed, whether settled by you or in default.
You have the right to:
• access the information we hold about you
• ask us to make changes to your information to make sure it is accurate/up to date
• ask us to stop or limit processing or delete your information(we are not obliged to do this in relation to information we need as part of our contractual relationship)
• receive your information in a format that suits you
• transfer your information to a third party
• Please contact us using the details shown overleaf for further information.
We may contact you by post, email, SMS or telephone for the purposes of marketing our products and services; please tick here □ if you do not wish to receive such marketing.
[We do not undertake CRA checks and we do not share data with 3rd parties]
5. Data collection
We have reviewed our business through our Information audit to identify the data that is processed and how it flows into the business.
We will ensure that data is collected within the boundaries defined in this policy. When collecting data, we will ensure that the customer clearly understands why the information is needed.
We will respect the following rights for individuals:
1. The right to be informed
2. The right of access- [in the case of Pawnbroking, they are entitled to ask the details of their contract but cannot demand a replacement contract .]
3. The right to rectification [for example changing address]
4. The right to erasure [they cannot demand the erasure of a pawn contract, although it would be erased after 6 years of no contact as part of your policy]
5. The right to restrict processing eg To temporarily stop proceedings because they have accidentally given incorrect information eg got their phone number wrong.
6. The right to data portability
7. The right to object-
8. Rights in relation to automated decision making and profiling.
6. Data Storage
Information and records relating to service users will be stored securely and will only be accessible to authorised staff. Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. [We store pawnbroking data for 6 years from the last point of contact].
It is our responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been destroyed or sold to a third party.
We will undertake periodic [annual] Information audits and Data Protection Impact Assessments to continually aim to improve systems, minimise risk and improve security.
7. Data access and accuracy
We will ensure that:
• The Information Leader has the responsibility for data in their job description and that they are fully trained for the role to ensure compliance with Data Protection [they keep up to date by online training provided by the NPA]
• Everyone processing personal information understands that they are contractually responsible for following good data protection practice and are trained according [using the modules provided online by the NPA]
• Everyone processing personal information is appropriately trained to do so
• Everyone processing personal information is appropriately supervised
• We deal promptly with any enquiries about handling personal information
• We annually review and audit the ways it hold, manage and use personal information through our Information Audit
• All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any future changes or amendments made to the GDPR 2018.
8 Data Breeches
We will maintain a log of all data breaches no matter how small. A small breach would include overhearing account details, losing a small amount of data or accidental deletion, loss of CCTV footage.
Examples of a major breech would be loss or theft of entire database, web cyber security issue or hacking resulting in theft of e mails/ passwords/ financial data of a significant or unquantified number of people.
We will ensure we have robust breach detection, investigation and internal reporting procedures in place.
We will report serious breaches within 72 hours of becoming aware of the breach where feasible, to the ICO on 0303 123 1113 and explain;
• what has happened;
• when and how we found out about the breach;
• the people that have been or may be affected by the breach;
• what we are doing as a result of the breach; and
• who ICO should contact for more information
• advise who else we have told about the breach.
9 Our Privacy Notice
Brown & Gold Ltd Privacy Notice
This explains how and why we acquire and use your personal information in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR).
We may collect information about you: as part of your loan application and for the purposes of managing your loan agreement from you, from public records and from third parties with your consent .This includes your name, address, date of birth, contact details, employment information, credit record and your agreement history.
We use your information to:
communicate with you by telephone, email, SMS, or post using the contact details you have provided
manage your account
prevent fraud and money laundering
We may use your data for the above purposes to fulfil our legitimate interest of managing our legal agreement with you and where otherwise required to comply with our legal and regulatory obligations and where permitted by the GDPR. If you do not provide us with your personal information, we will not be able to lend to you.
We may also use your information for other purposes where you have consented to this (see below).
We may share your information with:
third parties to which we transfer, charge or assign your agreement or which provide services for us
law enforcement agencies or regulatory bodies where we are required to do so by law
We store your information:
within the European Economic Area (EEA)
if we transfer data outside the EEA we will ensure that before we do so, there is adequate protection in place to ensure the security of your data.
We keep your information:
for as long as it is needed to manage your account and for a maximum of six years unless a longer period is required by law.
You have the right to:
• access the information we hold about you
• ask us to make any changes to your information to make sure it is accurate and up to date
• ask us to stop or limit our use of or to delete your information (we are not obliged to do this in relation to information we need as part of our contractual relationship)
• receive your information in a format that suits you
• transfer your information to a third party
Contact
If you have question, want to exercise your rights or make a complaint, please contact us
If we cannot resolve your complaint, you may contact the Financial Ombudsman Service at:
Financial Ombudsman Service
Exchange Tower
London
E14 9SR
Tel: 08000 234 567
You also have the right to complain to the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. www.ico.org.uk.
We may contact you by post, email, SMS or telephone for the purposes of marketing our products and services; please tick the box in note 6 on your contract if you do not wish to receive such marketing.