Skip to content

Privacy Notice

Last updated: 1st October 2024

 

1. Introduction/About Us

 

We are Afin Bank (“Afin”), our Company Registration number is  3090556  and our Registered Office address is  20 Birchin Lane, London EC3V 9DJ.  Afin are registered with the Information Commissioner’s Office (“ICO”) under number ZB796224.

 

This Privacy Notice explains how and why we use your personal data. When we talk about personal data we mean any information that relates to an identifiable natural person – in this case, you. When we use terms such as “we”, “us” and “our” in this policy, we mean Afin.

 

We may collect information from you when you visit our website, apply for a product or service, contact us by telephone or email or receive a communication from us relating to a product or service.

 

Afin is a “Data Controller” and “Data Processor”. These are legal terms which mean that we make decisions about how and why we use your personal data. As the “Data Controller”, we are responsible for making sure that your personal data is used in accordance with applicable data protection laws. As Data Controller, we are required by law to give you the information in this notice. There may also be other Data Controllers/Processors involved in processing your data as further explained in this Notice.

 

2. Your rights

 

Here is a list of the rights that you have under Data Protection laws. They do not apply in all circumstances. You may exercise any of them at any time and we will explain at that time if they are appropriate or not.

 

  • The right to be informed – we must be transparent with you about the processing that we do with your personal data. This is why we have a Privacy Notice. Basically, this sets out:
     
    • Your Rights
    • What we collect
    • How we use it
    • Where it is stored
    • The Legal Basis of Use
    • Any transmission of Data to 3rd Parties or other Countries

  • The Right to Request Access to the personal data held about you, to obtain confirmation that it is being processed, and to obtain certain prescribed information about how we process it. This may assist if you wish to find out what personal data we do have about you to then determine if you can exercise other rights (those mentioned above and below). You can exercise this right by writing to us or emailing us. We will respond within one month.

  • The Right to Object to processing of your personal data where it is based on legitimate interests, where it is processed for direct marketing (including profiling relevant to direct marketing) or where it is processed for the purposes of statistics.

Your rights to object may be relevant where you wish for us to stop processing your personal data. You have an absolute right to object to the processing of your personal data for direct marketing purposes (this includes any profiling of data that is related to direct marketing). Otherwise, the right is not absolute and only applies in certain circumstances.

 

  • The right to restrict processing of your personal data, for instance where you contest it as being inaccurate (until the accuracy is verified); where you have objected to the processing (where it was necessary for legitimate interests) and we are considering whether our organisation’s legitimate interests override your own; where you consider that the processing is unlawful (and where this is the case) and where you oppose erasure and request restriction instead; or where we no longer need the personal data for the purposes of the processing for which we were holding it but where you require us to continue to hold it for the establishment, exercise or defence of legal claims.

  • The right to have your personal data erased (also known as the “right to be forgotten”). This enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected. It may be relevant where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; if the processing is based on consent which you then withdraw; when you object to the processing and there is no overriding legitimate interest for continuing it; if the personal data is unlawfully processed; or if the personal data has to be erased to comply with a legal obligation. Requests for erasure may be refused in some circumstances such as where the personal data must be retained to comply with a legal obligation or to exercise or defend legal claims.

  • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed in certain circumstances. If we have disclosed the personal data in question to other organisations, we must inform them of the rectification where possible. Your rights in relation to rectification may be relevant if you consider that we are processing inaccurate or incomplete information about you.

  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services; to move, copy or transfer their personal data easily from one environment to another in a safe and secure way without hindrance to usability. This right can only be relevant where personal data is being processed based on a consent or for performance of a contract and is carried out by automated means. This right is different from the right of access (see above) and that the types of information you can obtain under the two separate rights may be different. You are not able to obtain through the data portability right all of the personal data that you can obtain through the right of access.

  • Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention. This right is different from the more general right to object to profiling related to direct marketing (see above) because that other right is not tied to a scenario where there is a legal effect on you or where the processing otherwise significant affects you. Data protection laws prohibit this particular type of automated decision making except where it is necessary for entering into or performing a contract; is authorised by law; or where you have explicitly consented to it. In those cases, you have the right to obtain human intervention and an explanation of the decision, and you may be able to challenge that decision.

  • You also have a right to complain to ICO which regulates the processing of personal data in the UK.

If you wish to exercise any of these rights against the Credit Reference Agencies, the Fraud Prevention Agencies, or a broker or other intermediary who is Data Controller in its own right, you should contact them separately.

 

3. What personal data do we collect from you?

 

This will depend on the products and services you apply for and (if your application is successful) obtain from us. Generally speaking, the personal data we process about you falls into the following categories:

 

  • Identity data including your name, date of birth and/or age, marital status, family, lifestyle or social circumstances (if relevant to the application), passport information or other identification documents (e.g. driving licence or birth certificate);
  • Contact data including where you live (tax residency status is collected for Savings products), your correspondence address (where different from where you live), address history, email address and telephone numbers;
  • Financial data including your employment status, your salary and other sources of income, financial position, status and credit history, whether you receive benefits, your savings, financial commitments, existing borrowings and loans and household expenditure;
  • Transaction data including details about payments to and from your accounts with us and bank details;
  • Special categories of personal data including information about your health or vulnerability [and details of any criminal convictions or alleged offences];
  • Technical data including details on the devices and technology you use when accessing our website, your Internet Protocol (IP) address, operating system and browser type (please refer to our Cookie policy for more information)
  • Usage data including about how you use our products and services, and website;
  • Marketing and communications data including your preferences in receiving marketing from us and your communication preferences.

4. Joint Applicants, Guarantors and Powers of Attorney

 

If you make a joint application with your spouse, partner or family member, we will collect the personal data mentioned above about that person too, and this privacy notice will apply to them.

 

5. Beneficial Owners

 

If you make an application for your business, we will also collect the personal data mentioned above about all individuals who you have a financial link with, for example other directors or officers of your company, who you must include on the application form. This privacy notice will apply to them too. In order to assess your company’s suitability for the product, we need to verify that:

 

  • All applicants are included
  • The identity for all applicants is verified
  • All applicants are UK tax payers (applies to savings products)


To do this, we use an external agency to check all directors are included and gather publicly held data to run authentication and world checks. If the data we gather is insufficient to allow us to run these checks, we will request them directly from you.

 

6. Witnesses

 

Some of our products and services including business finance, require witness signatures (to comply with execution formalities as a matter of law) and include the name and address of individuals who have acted as a witness for you. These details are kept on the application forms and stored with your account documents (but not in such a manner that it is part of a searchable filing system) in line with our retention procedures.

 

7. Where do we get your Personal Data from?

 

We collect personal data directly from you in different ways, including:

 

  • when you provide it on our website (“our site” or “our website”) when you register to use our site or subscribe to our newsletters;
  • when you apply for a savings or credit product;
  • information we gather from you when you use our services and the way you operate your accounts and/or services;
  • information you provide when you interact with us whether face-to-face, by telephone, video conference, email, letters or other channels;
  • materials you post on our social media pages;
  • information you provide when responding to surveys we may carry out (although you do not have to complete them); and
  • if you take part in any of our competitions or promotions when we have them.

We collect personal data from the following third parties or publicly available sources, including:

 

  • companies that introduce you to us including industry bodies and associations;
  • brokers;
  • credit reference agencies and fraud prevention agencies (see section below on “Sharing Information with Credit Reference Agencies” and “Sharing Information with Fraud Prevention Agencies”);
  • retailers;
  • comparison websites;
  • land agents;
  • publicly available information sources, such as Companies House, the electoral register, media, social networks and sanctions list;
  • agents working on our behalf;
  • market researchers; and
  • Government bodies and law enforcement agencies.

8. What do we do with your Data?

 

We collect and process your data for several purposes, and for each purpose Afin must explain to you what legal grounds justify our processing of your personal data. We set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

 

Purpose/Activity

Type of data

Legal basis for processing (including basis of legitimate interest)

To process your application.

Identity data, Contact data, financial data, Special categories of personal data

Performance of a contract with you or to carry out any pre-contract steps.

To carry out identity checks, anti-money laundering checks and checks with Fraud Prevention Agencies (this will involve sharing your personal data with Credit Reference Agencies and Fraud Prevention Agencies).

Identity data, Contact data, financial data, Special categories of personal data

Necessary to comply with a legal obligation.

Administering and managing your account and providing products (including online product platforms and mobile apps) and services (this may involve sharing your personal data with certain third parties).

Identity data, Contact data, financial data, Transaction data, Special categories of personal data

Contractual necessity (in order to perform a contract with you).

To respond to any queries, you have in respect of our services and to fulfil the requests you make to us.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data

Necessary for our legitimate interests (to provide a responsive service and develop our business).

To collect and recover money owed to us (this may involve sharing your personal data with debt recovery agencies).

Identity data, Contact data

Necessary for our legitimate interests (to recover monies owed to us).

To manage how we work with other companies that provide services to us and our customers.

Identity data, Contact data, financial data, Transaction data, Usage data, Marketing and communications data

Necessary for our legitimate interests or that of a third party (to improve our services and develop our business).

To correspond with solicitors, surveyors, valuers, other lenders, conveyancers and third-party intermediaries.

Identity data, Contact data, financial data, Transaction data, Usage data, Marketing and communications data

Contractual necessity (in order to enter into a contract with you).

To exercise our rights and enforce the terms of our contract and to bring or defend legal claims.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data

Necessary for our legitimate interests (to enforce our rights and protect the business).

To understand how you use our products and services (including profiling), and to improve our site to ensure that content is presented in the most effective manner for our site users.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data, Technical data, Usage data, Marketing and communications data

Necessary for our legitimate interests (to improve and tailor our services to you and develop our business).

To inform you about updates to the service and to notify you about other products and services offered by us that may be of relevant to you.

Identity data, Contact data, Usage data, Marketing and communications data

Necessary for our legitimate interests (to market our services and develop our business) or, where we cannot rely on legitimate interest for direct electronic marketing, you have given us your consent to receive such marketing.

To send you newsletters where you subscribe to receive these, and to enable you to participate in any competitions or promotions we may run.

Identity data, Contact data, Marketing and communications data

Necessary for our legitimate interests (to market our services and develop our business).

To ask you to participate in surveys for market research purposes, and to analyse those surveys and research to benchmark our services.

Identity data, Contact data, Marketing and communications data

Necessary for our legitimate interests (to improve our services and develop our business).

To undertake system or product development, and improve our products, services and systems.

Identity data, Contact data, Transaction data, Usage data

Necessary for our legitimate interests (to improve our services and develop our business).

To comply with applicable laws and regulations, including our obligation to maintain records, prevent money laundering and crime (this may involve sharing your personal data with governmental, regulatory bodies and in some circumstances, payment service providers).

Identity data, Contact data, financial data, Transaction data, Special categories of personal data, Technical data, Usage data

Necessary to comply with a legal obligation.

To share your personal data, where applicable, with your guarantor, joint account holders, trustees, beneficiaries, power of attorneys, beneficial owners and other account holders.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data

Necessary to comply with a legal obligation.

To respond to requests from you to exercise your rights under data protection laws.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data, technical data, Usage data, Marketing and communications data

Necessary to comply with a legal obligation.

To adhere to guidance and best practice under the regimes of governmental and regulatory bodies such as HMRC, the Financial Conduct Authority and ICO.

Identity data, Contact data, financial data, Transaction data, Special categories of personal data, technical data, Usage data, Marketing and communications data

Necessary for our legitimate interests (for running our business in accordance with good governance requirements).

To administer and operate our business and site (including audits, system maintenance & security, business continuity, support, reporting and hosting of data).

Identity data, Contact data, financial data, Transaction data, Special categories of personal data, technical data, Usage data, Marketing and communications data

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud).

 

9. Processing with your consent

 

We may also from time to time ask you for your consent for other purposes, which we will explain to you at the time. For example, when you request that we share your personal data with someone else and no other legal basis applies. You may withdraw this consent at any time – however this may mean that not all products and services will be available.

 

10. Special categories of personal data/criminal convictions data

 

Some of the personal data we collect about you includes special categories of personal data. In particular, we may process data about your health, biometric data and criminal convictions and offences. Where we process special categories of personal data, this will usually be on the basis of either:

 

  • explicit consent (and when we ask for that explicit consent, we will explain to you the purposes and use of such data).
  • for reasons of substantial public interest, such as:
  • processing of health data (including sharing of such data) where necessary to enable us to comply with our legal obligations relating to vulnerable customers.
  • using criminal records data to help prevent and detect crime.
  • to establish, exercise or defend legal claims.

11. How and when you can withdraw your consent

 

Much of what we do with your personal data is not based on your consent and is instead based on other legal grounds.

 

For processing that is based on your consent, you have the right to revoke that consent for future processing at any time. You can do this by contacting us by emails mentioned under the ‘Contact us’ section of our website and by ‘unsubscribing’ to our newsletters when you receive one. The consequence might be that we cannot send you some marketing communications.

 

12. Who might we share your data with?

 

To provide you with products and services, meet our legal obligations and operate our business, we may share your personal data with the following third parties in the following circumstances:

 

  • With other Afin group companies in order to administer and manage your account.
  • With companies whom we have contracts in place for the supply of goods and services as part of providing service to our customers, such as our mailing house and website suppliers. With market research companies we engage to develop our products and services.
  • We disclose your personal data with third parties who provide us with data analytics, business intelligence, software development and IT services
  • We may also disclose your personal data to our appointed representatives in connection with a contracted transaction between you and us. This includes solicitors, surveyors, valuers, insurers, loss adjusters, debt collection agencies and any party described in the terms and conditions of the individual products you hold with us. We will have in place an agreement with our service providers which will restrict how they are able to process your personal data.
  • With other organisations to provide you with the product or service you have chosen, for example, if you use direct debits, we will share your data with the Direct Debit scheme. If you have a secured loan or mortgage with us, we may share information with other lenders who also hold a charge on the property.
  • With HM Revenue & Customs and other regulatory bodies such as the Financial Conduct Authority, Prudential Regulation Authority and the UK Financial Services Compensation Scheme and the Financial Ombudsman Service, where necessary as part of ongoing supervision or law enforcement.
  • With companies we have a joint venture or agreement to co-operate with and any companies that introduce you to us or we introduce to you.
  • With any party linked with you or your business’s product or service including anyone acting on your behalf with authority to do so or any potential guarantor.
  • Price comparison websites and similar companies that offer ways to research and apply for financial products and services
  • Companies you ask us to share your data with, for example, when you switch accounts from Afin
  • Credit reference agencies (see paragraph 13 below for more information)
  • Fraud prevention agencies (see paragraph 14 below for more information)
  • Any third party after a change of ownership (see paragraph 16 below for more information)

Should you wish to receive details of the relevant credit reference, fraud or financial crime prevention agencies we use, please contact us by letter or email using the addresses set out at the end of this privacy notice.

 

13. Credit Reference Agencies

 

To process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (CRAs). Where you take products or services from us, we may also make periodic searches at CRAs to manage your account with us.

 

To do this, we will supply your personal data to CRAs, and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register, court decisions and bankruptcy registers) and shared credit, financial situation and financial history information and fraud prevention information.

 

We will use this information to:

 

  • Assess your creditworthiness and whether you can afford to take the product.
  • Verify the accuracy of the data you have provided to us.
  • Prevent criminal activity, fraud and money laundering.
  • Manage your account(s).
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.
  • We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

 

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

 

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

 

Credit Reference Agency Information Notice

 

Set out below are links to Experian, Equifax and TransUnion International Limited. Afin may use any of these to obtain Credit Referencing.

 

All Credit Reference Agencies are required to publish a notice explaining what, why and how they obtain and use information about businesses and individuals. Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and are required to publish such notices under the General Data Protection Regulation.

 

As Afin will source information about you from such agencies we are required to make available the information notices from these companies.

 

https://www.experian.co.uk/legal/crain

https://www.equifax.co.uk/privacy-hub/crain

https://www.transunion.co.uk/legal/privacy-centre/pc-general

 

14. Fraud Prevention Agencies (FPAs)

 

We use your personal information to help decide if your personal or business accounts may be being used for fraud or money-laundering. We may detect that an account is being used in ways that fraudsters work. Or we may notice that an account is being used in a way that is unusual for you or your business. If we think there is a risk of fraud, we may stop activity on the accounts or refuse access to them.

 

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

 

We, and fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

 

15. Any third party after a change of ownership

 

In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If Afin or substantially all of its assets are acquired by a third party, the personal data we hold about our customers will be one of the transferred assets.

 

16. Transferring data abroad

 

Presently we do not transfer your data outside of the UK or EEA.

 

There will be some limited circumstances in which we will need to transfer your personal data outside of the UK and/or the European Economic Area (which means all the European Union (EU) countries plus Norway, Iceland and Liechtenstein, together “EEA “).

 

However, when we need to transfer your personal data abroad, we take steps to ensure that your personal data is adequately protected and in compliance with data protection laws such as entering into the UK’s International Data Transfer Agreement (for transfers of personal data from the UK) – this is a set of contractual wording which has been issued by the ICO.

 

For further information on our transfers of personal data, please contact us at the contact details provided in the “Contacting Us” section below (see section 33).

 

17. What should you do if your personal data changes?

 

You should tell us without delay so that we can update our records. If you were introduced to us by a broker or other intermediary who is Data Controller in its own right, you should contact them separately. In some cases where you exercise rights against us under data protection laws (see below) we may need to inform the broker or other intermediary, but this will not always be the case.

 

18. Do you have to provide your personal data to us?

 

We may be unable to provide you with a product or service or to process your application without having certain personal data about you. Certain personal data is required before you can enter into the relevant contract with us, or it may be required during the life of that contract, or required by laws that apply to us. If we already hold some of the personal data that we need – for instance if you are already a customer – we may not need to collect it again when you make your application. In all other cases we will need to collect it except where providing some personal data is optional (in which case, we will make this clear). For instance, we will say in application forms or on our website or via the broker or other intermediary if alternative (such as work) telephone number contact details can be left blank.

 

19. How long we keep your information

 

Your data is important to us, and we take all reasonable steps to maintain it safely and securely and fully in accordance with the General Data Protection Regulation.

 

We will keep your personal data for seven years from end of last financial year of our business relationship with you. This includes credit agreements, applications forms (paper and electronic), ID provided, credit scores, payments default records and complaints.

 

We keep data relating to prospective and indicative customer enquiries for 6 months following the expiry of the quote or illustration.

 

After this time, the data is securely disposed of. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

 

20. Do we do any monitoring involving processing of your personal data?

 

In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, emails, text messages, social media messages, face-to-face meetings and other communications.

 

We may monitor where permitted by law and we will do this where the law requires it. In particular, where we are required by the Financial Conduct Authority’s regulatory regime to record certain telephone calls or in person meetings we will do so.

 

Some of our monitoring may be to comply with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide security for you (such as in relation to fraud risks of your account) and for quality control and staff training purposes.

 

We may conduct short term carefully controlled monitoring of your activities on your account where this is necessary for our legitimate interests or to comply with our legal obligations. For instance, where we suspect fraud, money laundering or other crimes.

 

Telephone calls and/or in person meetings between us and you in connection with your application and the product or service may be recorded to make sure that we have a record of what has been discussed and what your instructions are. We may also record these types of calls for quality control and staff training.

 

21. Use of Automated Processing and Automated Decision Making

 

Like many Financial Service providers, we use automated processing in our account opening and identification processes. This means we attempt to match your personal details to publicly available information through sources such as the Royal Mail or Credit Reference Agencies. If for any reason we are unable to complete our formalities using this process you will be informed how you many complete the process using manual methods.

 

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity.

 

Here are some examples of the types of automated decisions we make:

 

  • Pricing
  • We may decide what to charge for some products and services based on what we know.
  • Tailoring products and services
  • Credit scoring (for more information about how we do this please see paragraph 26 Approving Credit below).


We may place you in groups with similar customers. These are called customer segments. We use these to study and learn about our customers’ needs, and to make decisions based on what we learn. This helps us to design products and services for different customer segments, and to manage our relationships with them.

 

22. Consequences of Processing

 

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and products you have requested, or to employ you, or we may stop providing existing services to you.

 

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us using the details provided.

 

23. Opening accounts

 

When you open an account with us, we check that the product or service is relevant for you, based on what we know. We also check that you or your business meets the conditions needed to open the account. This may include checking age, residency, nationality or financial position.

 

24. Approving Credit

 

We use a system to decide whether to lend money to you or your business, when you apply for credit such as a loan. This is called credit scoring. It uses past data to assess how you’re likely to act while paying back any money you borrow. This includes data about similar accounts you may have had before.

Credit scoring uses data from three sources:

 

  • Your application form
  • Credit Reference Agencies
  • Data we may already hold


It gives an overall assessment based on this. Banks and other lenders use this to help us make responsible lending decisions that are fair and informed. Credit scoring methods are tested regularly to make sure they are fair and unbiased.

 

  • You have rights over automated decisions:
  • You can ask that we do not make our decision based on the automated score alone.
  • You can object to an automated decision and ask that a person reviews it.

25. Profiling

 

We use our customers’ data to understand how our website is operating, to track how certain products are performing and to generate business strategy based on statistical analysis

 

For this we profile using data generated throughout your contact with Afin by our online applications and in strict accordance with the Bank’s Cookie Policy.

 

Profiling is also relied upon in the processes used by Credit Reference Agencies where automated decisioning methods are used to check for Fraud or Money Laundering activity. You have rights in relation to auto decisioning so contact us if you want to learn more.

 

We also profile your data to help us identify opportunities for us to maximise the benefits to you of being an Afin customer, such as, for example, through the provision of special offers, unless you have told us that you do not want us to do this.

 

We can do this activity based on our legitimate interests (and they are listed in the What we do with your data section above) only where the profiling and other automated decision making does not have a legal or other significant effect on you. In all other cases, we can do this activity only where based on your consent. In those cases, you have the right to obtain human intervention to contest the decision (see ‘rights in relation to automated decision making which has a legal effect or otherwise significantly affects you’ below). Profiling for direct marketing can mean there is a separate right to object (see ‘rights to object’ above).

 

26. Data Anonymisation and the use of Aggregated Information

 

Your personal data may be converted into statistical or aggregated data which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this privacy notice.

 

27. Data Security

 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Although we take appropriate steps to protect your personal data, we cannot guarantee that your personal data will not become accessible to unauthorised persons, and we cannot be responsible for any actions resulting from a breach of security when information is supplied over the internet or any public computer network.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

28. Data Privacy Notices from other organisations

 

We have mentioned that we share your personal data with Fraud Prevention Agencies and Credit Reference Agencies. They require us to pass on to you information about how they will use your personal data to perform their services or functions as Data Controllers in their own right. These notices are separate from our own.

 

29. How we work with other Third-Parties

 

Please refer to our Cookie Policy for details on how we work with 3rd parties. 

 

30. How we use Cookies

 

Please refer to our Cookie Policy for details on how we use cookies.

 

31. Broker & Other Intermediaries Data Sharing Responsibilities

 

Have you been introduced to us by a broker or other Intermediary?

 

Our products and services are available through our website, app as well as through professional and financial advisers (Brokers) and anyone else who acts as a person sitting in between you and us in relation to what we do for you. We work with brokers and intermediaries for our lending products and services.

 

When a broker or other intermediary processes your personal data on our behalf, this privacy notice will apply. When a broker or other intermediary processes your personal data as a Data Controller in its own right, its own privacy notice will apply, and you should ask them for a copy if you do not have one by the time you are introduced to us.

 

32. Marketing

 

Where we either have your consent or a legitimate interest, we will keep you informed about Afin products and services similar to those you already have unless you tell us you don’t want this material.

 

If at any time you wish to stop receiving marketing information from us, you can notify us via the instructions detailed in the marketing communication you have received, via your account where online access is provided, or by contacting us by any of the means listed in the Contact us section of our website.

 

33. Contact us

 

If you want to receive a copy of the information we hold, exercise any of your information rights explained in this notice or have any concerns or complaints about our use of your information, please contact our Data Protection team.

 

Email hello@afinbank.com