Loans from Hasting Direct - Privacy Notice

Introduction

Your privacy’s important to us and we go to great lengths to protect it. This privacy notice tells you about the personal data we hold about you and it explains how we may collect, use and share your details and tells you about your rights under data protection laws.

About Hastings Group Holdings plc.

Here in the Hastings Group holdings plc, we will always treat your personal data with respect and design our products and services with your privacy in mind.

Hastings Group Holdings plc consists of the data controllers Hastings Insurance Services Ltd and Advantage Insurance Company Ltd.

1. About Hastings Insurance Services Ltd.

We are Hastings Insurance Services Limited (also referred to as ‘Hastings’, ‘we’, ‘us’ or ‘our’) and our registered office is at Conquest House, Collington Avenue, Bexhill-on-Sea, and East Sussex TN39 3LW.

We trade under the names of Hastings Direct, Hastings Direct SmartMiles, insurePink, People’s Choice and our brands include Hastings Premier, Hastings Essentials, Insure Blue, Argos, Likewise and Renew.

Our ICO registration number is Z7677970.

2. What do we mean by personal information.

“Personal information” means information that relates to you as an individual, whether linked to your name or any other way which you could be identified, such as your driving licence number or your Loan account number.

Certain types of personal information are considered to be “special categories of information” due to their more sensitive nature. Sometimes we will ask for or obtain special categories of information because it is relevant to your Loan application. For example, to assess risk appropriately, we may ask our customers about their previous credit history. This Privacy Notice highlights where we are likely to obtain special categories of information, and the grounds on which we process this data. We will only process special categories of information where they are relevant and will never process certain types e.g. details of your sex life.

Special categories of information are Information about your health, criminal convictions, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

3. How we use your personal information.

The personal information that we collect will depend on our relationship with you. We have included a number of sections below – simply read those which most apply to your relationship with us.

If you provide personal information to us about other people you must provide them with a copy of this Privacy Notice, and obtain relevant consent from them where we have indicated in this Privacy Notice that we need it.

3.1. If you have taken out a quote for a loan.

This section shows what personal information we collect about you and use if you are either: a prospective customer and have submitted your personal information so that we can provide you with a quote for a loan. This includes your use of a price comparison website to gain a quote from us.

What personal information will we collect and where will we collect it from?

We collect the following information provided by you by phone or web:

  • Individual details: Your name, address, former address, contact details (e.g. email / telephone), gender, marital status, date of birth, nationality, length of time as a UK resident.
  • Employment information: Your job title and the nature of the industry you work in
  • Identification details: Your driving licence number and passport number
  • Previous and current loans held: Any previous loans you have held and settled.
  • Income and household financial
  • Criminal convictions which are unspent under the Rehabilitation of Offenders Act.
  • Marketing preferences: Where relevant, including whether you have requested not to receive marketing information
  • Website usage, including Cookies and use of our Live Chat facility: See section below for details
  • Other information: that we capture during recordings of our in-bound and out-bound telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us (we will not further process these without your explicit consent).

Before we provide services or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you. We use external sources to supplement and verify the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you.
  • Demographic data: Lifestyle indicators such as income, education, and size of your household.
  • Open source data: Other information about you which is publicly available.

The external sources that provide us with information about you include:

  • The applicant
  • Other third parties involved in the loans application process (such as the price comparison website used, or loan brokers)
  • Credit reference agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and lending industry financial crime databases (such as for fraud prevention and checking against international sanctions) including Cifas.
  • Government agencies and regulators (e.g. Financial Conduct Authority)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles) and sources licenced under the Open Government Licence v 3.0.

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We need your personal information because it is necessary to enter into or perform a contract (e.g. you request a quote with a view to entering into an loan agreement)
  • We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and/or develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
  • We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • You give us explicit consent to use this type of information.
  • It is in the substantial public interest and it is necessary: to prevent and detect an unlawful act (e.g. fraud)
  • To establish, exercise or defend legal claims (g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

See the table below.

Type of Processing Grounds for using personal information Grounds for special categories
To assess your loan application and provide a quote To enter into or perform a contract We will not process your special categories of information for this purpose
To verify your identity, carry out fraud, credit and antimoney laundering checks To enter into or perform a contract It is in the substantial public interest to prevent or detect unlawful acts
To establish, exercise or defend legal rights
To communicate with you and resolve any complaints that you might have To enter into or perform a contract
We have a legitimate interest (to send you communications, record and handle complaints)
You have given your explicit consent To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations We have a legal or regulatory obligation To establish, exercise or defend legal rights
To ensure that we consider any customers who may be in a vulnerable circumstance We have a legitimate interest (to ensure a consistent service to all of our customers and that all customers are treated equally) You have given your explicit consent
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys) We have a legitimate interest (to develop and improve our products and services) We will not process your special categories of information for this purpose
Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance) We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business) We will not process your special categories of information for this purpose
For loan administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges We have a legitimate interest (to develop and improve our products and services) We will not process your special categories of information for this purpose
To send you marketing materials about our products and services (with your permission) We have a legitimate interest (to market our products) We will not process your special categories of information for this purpose

Who will we share your personal information with?

On occasion, we will share personal information within Hastings Group Holdings plc or with the following third parties for the purposes laid out in the table above:

  • The loan applicant
  • Credit reference agencies
  • Providers of demographic data
  • Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions) including Cifas, the National Fraud Database
  • Government agencies and bodies such as the HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • Other third parties involved in the loans application process (such as the price comparison website used)
  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, subcontractors, and any outsourced service centre providers
  • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime
  • Selected third parties in connection with any sale, transfer or disposal of our business.

3.2. If you have a loan with us.

What personal information will we collect and where will we collect it from?

In addition to the information provided to us by you in section 3.1 above when a quote is provided, we will obtain information about you during the lifetime of your loan. This information includes:

  • Financial information: Bank and payment information
  • Additional identification details: This may include items to verify your identity, residency, marital status and address. All of this information will be obtained from you, but can contain special categories of information (e.g. a driving licence details may show details of any motoring convictions). In some situations further information and/or copies outlined above may be requested to validate your identity.

We use external sources to supplement and verify the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Demographic data: Lifestyle indicators such as income, education, and size of your household
  • Open source data: Unstructured data which is in the public domain, when proportionate to do so this will including social media, about you, or the circumstances of any accident

The external sources that provide us with information about you include:

  • Third party suppliers we appoint to help us to carry out:
    • our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
  • Credit reference agencies
  • Providers of demographic data
  • Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions) including Cifas, the National Fraud Database
  • Lending industry bodies and databases
  • Government agencies and bodies such as the, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media) and sources licenced under the Open Government Licence v 3.0.
  • The police, HMRC and other crime prevention and detection agencies.

What will we use your personal information for?

We may process your personal information for a number of purposes. For each purpose, we will rely on one or more of the following legal grounds:

  • We need your personal information because it is necessary to enter into or perform a contract (e.g. the loan agreement)
  • We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
  • We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • You give us explicit consent to use this type of information.
  • It is in the substantial public interest and it is necessary: to prevent and detect an unlawful act (e.g. fraud)
  • To establish, exercise or defend legal rights (e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

See the table below.

Type of Processing Grounds for using personal information Grounds for special categories
To verify your identity, carry out fraud, credit and anti-money laundering checks To enter into or perform a contract It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
To establish, exercise or defend legal rights
To set up your loan To enter into or perform a contract We will not process your special categories of information for this purpose
To manage and service and answer queries about your loan To enter into or perform a contract You have given your explicit consent
To manage and service and answer queries about your loan To enter into or perform a contract You have given your explicit consent
Using loan details to make decisions around new loan applications or extensions To enter into or perform a contract We will not process your special categories of information for this purpose
Using loan data to validate the information you provided us when you took out your loan and to prevent and identify fraud on an ongoing basis We have a legitimate interest (to prevent and detect fraud and other financial crime) It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations We have a legal or regulatory obligation To establish, exercise or defend legal rights
To ensure that we consider any customers who may be in a vulnerable circumstance We have a legitimate interest (to ensure a consistent service to all of our customers and that all customers are treated equally) You have given your explicit consent
To communicate with you and resolve any complaints that you might have To enter into or perform a contract
We have a legitimate interest (to send you communications, record and handle complaints)
You have given your explicit consent To establish, exercise or defend legal rights
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys We have a legitimate interest (to develop and improve our products and services) We will not process your special categories of information for this purpose
For debt collection purposes To enter into or perform a contract We will not process your special categories of information for this purpose
Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance) We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business) We will not process your special categories of information for this purpose
For loans administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges We have a legitimate interest (to develop and improve our products and services) We will not process your special categories of information for this purpose
To send you marketing materials about our products and services (where we have your permission to do so) We have a legitimate interest (to market our products) We will not process your special categories of information for this purpose

Who will we share your personal information with?

On occasion, we will share personal information within Hastings Group Holdings plc or with the following third parties for the purposes laid out in the table above:

  • The account holder
  • Providers who may need your information in order to provide a service to you
  • The price comparison site used (if any)
  • Third party suppliers we appoint to help us to carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
  • Credit reference agencies/debt collection agencies*
  • Providers of demographic data
  • Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions) including Cifas**, the National Fraud Database
  • Government agencies and bodies such as the, HMRC, Department for Work & Pensions, or professional regulators (e.g. the Financial Conduct Authority in the UK)
  • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
  • Selected third parties in connection with any sale, transfer or disposal of our business.

* Information Shared with Credit Reference Agencies

We will perform initial “soft search” credit checks through one or more Credit Reference Agencies for initial enquiries to help establish suitability and Approval in Principle.

For cases where we are assessing a loan application that will be funded by us a full credit assessment will be made with one or more Credit Reference Agencies.

In the cases where credit referencing is undertaken the following will apply;

  • A customer’s loan application may be registered on the customer’s credit report under the name Hastings Direct . Should customers require more information on any Credit Reference Agency we work with they can visit the relevant CRA website. We may undertake a search with at least one of the aforementioned agencies when customers apply for credit thereby reviewing a customer’s credit record as well as anyone financially associated with the customer. The agency will keep a record of this search and may place a “footprint” on the customer’s file, whether or not the application proceeds.
  • Once customers take a loan product with us, we will report regularly to the CRAs on the customer’s payment history. If customers fall behind on payments and satisfactory proposals are not received within a month of a formal demand being issued, then a default notice may be recorded at the CRAs which may impact the customer’s ability to obtain credit in the future.
  • Information we and other organisations provide to the CRAs may be used by us and them to;
    • help make decisions when checking applications, managing credit related accounts and facilities, recovering debt, checking on insurance claims, checking job applicants
    • detect and prevent money laundering, crime and fraud
    • verify identity
    • trace customer’s whereabouts
    • undertake research, statistical analysis and system testing.

More information about CRAs and how they use personal information is available at:

https://www.TransUnion.co.uk/crain

https://www.equifax.co.uk/crain

https://www.experian.co.uk/crain

** Information shared with Cifas

Before we provide services, goods or financing to customers, we undertake checks for the purposes of preventing fraud and money laundering, and to verify identity. These checks require us to process personal data about our customers.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. Cifas has published its assessment of the legitimate interests in relation to the National Fraud Database.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to "international frameworks" intended to enable secure data sharing. Cifas has published more information about data transfers.

3.3. Suppliers and Partners.

What personal information will we collect and where will we collect it from?

In order to work effectively with you and for ongoing due diligence purposes, we will need to collect some personal information from you which may include:

  • Individual details: Your name, address, contact details (e.g. email / telephone)
  • Employment information: Your job title and the nature of the industry you work in (including potentially previous roles)
  • Identification details: Items to verify your identity, residency, address, driving licence details. All of this information will be obtained from you, but can contain special categories of information (e.g. a driving licence may show details of any motoring convictions)
  • Criminal convictions which are unspent under the Rehabilitation of Offenders Act. This includes both motoring and non-motoring offences / alleged offences which you have committed, or any court sentences which you are subject to. All of this information will be obtained from you, but may contain special categories of information.
  • Website usage, including Cookies and use of our Live Chat facility: See section below for details
  • Other information: that we capture during recordings of our telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us (we will not further process these without your explicit consent).

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Open source data: unstructured data which is in the public domain, including social media, about you or your company, as part of our due diligence checks.

The external sources that provide us with information about you include:

  • Other Hastings Group Holdings plc companies
  • Publicly available sources such as the electoral roll, court judgments, insolvency registers, internet search engines, news articles and social media sites
  • Financial crime detection agencies and lending industry databases (such as for fraud prevention and checking against international sanctions).

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We need to use your personal information because it is necessary to enter into or perform the contract that we hold with you (e.g. we may need certain information in order to operate our business partnership arrangement)
  • We have a legitimate interest to use your personal information such as maintaining our business records, keeping records of loan agreements and business entities we interact with, and analysing and improving our business model and services. When using your personal information in this way, we have considered your rights and ensured that our business need does not cause you harm
  • We have a legal or regulatory obligation to use such personal information (e.g. we may be required to carry out certain background checks).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • You have given us your explicit consent to our use of your special categories of information
  • We need to use your special categories of information for purposes relating to managing our business relationship with you there is a substantial public interest in such use. Such purposes include preventing and detecting fraud
  • To establish, exercise or defend legal rights (g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
To enter into business relationships which facilitate and enable us to manage our loans for our customers To enter into or perform a contract
We have a legitimate interest (to enter into arrangements with other partners so that we can provide services to our customers)
You have given us your explicit consent
For business processes and activities including analysis, review, planning and business transactions, and applying for and claiming on our own insurance We have a legitimate interest (to effectively manage our business and to have appropriate insurance in place) We will not process your special categories of information for this purpose
To carry out fraud and anti-money laundering checks To enter into or perform a contract
We have a legitimate interest (to ensure that we take all necessary precautions to prevent fraud)
The prevention and detection of fraud is in the substantial public interest
To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations We have a legal or regulatory obligation You have given us your explicit consent
Providing improved quality, training and security (e.g. through recorded or monitored phone calls to / from us) We have a legitimate interest (to develop and improve our products and services) We will not process your special categories of information for this purpose
To manage and handle your queries To enter into or perform a contract
We have a legitimate interest (to effectively manage our business and respond to queries)
You have given us your explicit consent

Who will we share your personal information with?

On occasion, we will share personal information within Hastings Group Holdings plc or with the following third parties for the purposes laid out in the table above:

  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers
  • Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions) including Cifas, the National Fraud Database
  • Government agencies and bodies such as regulators (e.g. Financial Conduct Authority)
  • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime
  • Selected third parties in connection with any sale, transfer or disposal of our business.

3.4. Use of our website.

What personal information will we collect and where will we collect it from?

We use various software including cookies and tags to improve your digital journey and to identify and prevent fraud. We collect and store information about how you access and use our website (including the website you visited before coming to our websites). We automatically receive the IP address of your computer, mobile device, or the proxy server you use to access the Internet and this may include information to identify your browser or device to analyse web traffic.

Fraud prevention cookies collect information about certain features of your device, such as your IP address, device type, browser type, screen resolution and operating system. This is to prevent and detect devices associated with fraudulent or other malicious activity and allows us to authenticate your account.

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following ground:

  • We have a legitimate interest to use your personal information such as maintaining our business records, monitoring usage of our website and marketing our services and improving our business model and services. When using your personal information in this way, we have considered your rights and ensured that our business need does not cause you harm.

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
Communicating with you and responding to any enquiries you have We have a legitimate interest (to respond to any enquiries) We will not process your special categories of information for this purpose
Monitoring usage of our websites We have a legitimate interest (to assess usage of our website) We will not process your special categories of information for this purpose

4. What is our approach to sending your personal data abroad.

Sometimes we will transfer personal information that we collect about you to countries outside of the European Economic Area (“EEA”).

Where a transfer occurs we will take steps to ensure that your personal information is protected.

We will do this using a number of different methods including:

  • Some countries have been deemed by the EU to have adequate privacy legislation and are then deemed to be equivalent to processing within the EU. You can find out more about adequacy status at: https://ec.europa.eu/info/law/law-topic/data-protection/internationaldimension-data-protection/adequacy-decisions_en.
  • Putting in place appropriate contracts. We will use a set of contract wording known as the “standard contractual clauses” which has been approved by the data protection authorities
  • Transferring personal data only to those companies in the United States who are certified under the “Privacy Shield”. The Privacy Shield is a scheme under which companies certify that they provide an adequate level of data protection. You can find out more about the Privacy Shield at: https://www.privacyshield.gov/Individuals-in-Europe.

5. Marketing.

We take privacy very seriously and will only use your personal information for the purposes laid out in this Privacy Notice. When you have requested a quote or taken a loan from us we can contact you about similar products and services unless you have opted out. We will contact you about marketing – for example, to offer other services or to ask if you want to take part in a competition we might run.

You may have also given your permission for us to contact you when you visited a price comparison site and obtained a loans quote. This would be because our product featured in the top few providers with the most competitive price and you wished for us to contact you.

You are free to object to receiving any marketing material and can edit your marketing preferences at any time. To opt out of marketing communications please click “unsubscribe” on any marketing message we send you or call in.

Please be aware that we have a legitimate interest to be able to contact you to discuss how your loan is being administered. This form of contact falls outside of your marketing preferences and must continue in order for us to be able to provide you with a loan effectively. This will never include marketing material and all information will be strictly related to your loan.

6. How long do we keep your personal information for.

We will keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 3 above and to comply with our legal and regulatory obligations. We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on the purpose for which we collect that information, for example:

Quotes: 3 years

Loan Information and data: 6 years after a loan is settled and no further action on the account is required

Complaints: 6 years after the complaint has been closed

Please note that in the circumstances of the prevention or detection of crime and the apprehension or prosecution of offenders HISL and agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to 6 years.

7. Automated processing.

If a human is involved in the decision at any point then it is not considered an automated decision.

Where we have to make a decision about your loan and as part of the agreement decision process we may make decisions using automated processing. The process considers the information that you provide us as well as information from other sources to determine whether your application for a loan can be accepted and the rate of interest charged.

The automated decisions include:

  • The creation of pricing models and risk acceptance criteria
  • The application of the pricing and risk models using data we hold about you, to accept or decline your request for a loan and to calculate the rate of interest applied
  • Assessing your ability to repay the loan balance and monthly instalments
  • Assessing the risk of fraud being committed on your account.

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

8. You rights.

Under data protection law you have a number of rights in relation to the personal information that we hold about you. You can exercise these rights by contacting us. We will not usually charge you in relation to a request.

The right to access your personal information You are entitled to a copy of the personal information we hold about you and certain details of how we use it. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.
The right to rectification We take reasonable steps to ensure that the information we hold about you is accurate and where necessary up to date and complete. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
The right to erasure This is sometimes known as the ‘right to be forgotten’. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent. Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it.
The right to restriction of processing In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information
The right to data portability In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party.
The right to object to marketing You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the “unsubscribe” button in any email that we send to you or by contacting us. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.
The right to object to processing In addition to the right to object to marketing, in certain circumstances you will also have the right to object to us processing your personal information. This will be when we are relying on there being a legitimate interest to process your personal information. Please note, in some circumstances we will not be able to cease processing your information, but we will let you know if this is the case.
Rights relating to automated decisions If you have been subject to an automated decision and do not agree with the outcome, you can ask us to review it.
The right to withdraw consent Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information. Please note that for some purposes, we need your consent in order to manage your loan. We will advise you of any issues this may cause at the point you seek to withdraw your consent.
The right to lodge a complaint with the ICO You have a right to complain to the Information Commissioner’s Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and / or regulations. More information can be found on the Information Commissioner’s Office website: www.ico.org.uk. This will not affect any other legal rights or remedies that you have.

Please note, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn’t comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.

9. How we protect your information.

The protection of your personal data is important to us. We take a number of technical and procedural measures to protect personal data. For example:

  • Where we capture your personal information through our website, we will do this over a secure link using recognised industry standard technology (SSL) which encrypts data that is transmitted over the internet. Most browsers will indicate this by displaying a padlock symbol on the screen
  • We prevent unauthorised electronic access to servers by use of suitable firewalls and network security measures. We use strong internal antivirus and malware monitoring tools and conduct regular vulnerability scans to protect our internal infrastructure and also to protect communications we may send you electronically. Our servers are located in secure datacentres that are operated to recognised industry standard. Only authorised people are allowed entry and this is only in certain situations
  • We ensure that only authorised persons within our business have access to your data and conduct regular checks to validate that only the correct people have access. We promote responsible access to data and segregate who can see what data within the organisation
  • Internally in our organisation, we have password policies in place which ensure passwords are strong and complex and are changed regularly
  • We use secure email exchange where necessary for sensitive data and have monitoring on all email we send and receive
  • We schedule periodic checks of all security measures to ensure they continue to be efficient and effective, taking into account technological developments.

10. Contact us.

You may contact our Data Protection Officer if you would like to exercise the rights set out above, or if you have any questions about how we collect, store or use your personal information.

Write to: ‘The Data Protection Team’ at Hastings Insurance Services Limited, Conquest House, Collington Avenue, Bexhill-on-Sea TN39 3LW

or

Email: dataprotection@hastingsdirect.com

or

you can request any of your rights by calling into Hastings Direct

11. Updates to this Privacy Notice.

We may need to make changes to this Privacy Notice periodically, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally or where we identify new sources and uses of personal information (provided such use is compatible with the purposes for which the personal information was original collected). The Data Protection Officer will ensure that this document is updated regularly or as legislation requires.