Privacy Notice

How we use your personal information

GDPR & Data Protection Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation (GDPR) is new regulation set by the European Parliament which aims to strengthen and unify data protection for all individuals within the European Union. For more information please visit the Information Commissioners Office website below:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Who we are

Premium Credit (‘we / us’) is a finance company which provides affordable finance options for several products and services such as car insurance, football tickets, school fees and much more.

Why is GDPR relevant to Premium Credit, and to you as a customer?

GDPR is relevant to us because it sets out how we can collect, process and store your personal information. It also provides certain rights to you in respect of the personal information which we collect, process and store.

What personal information do we collect?

We collect any personal and financial information necessary to carry out due diligence checks and provide financial agreements. Personal information means any information relating to an identified or identifiable natural person, such as name, address, date of birth, telephone number, email address, bank account number and sort code, proof of address and proof of identity. This includes data which either by itself or with other data held by us or available to us, can be used to identify you.

How do we capture your personal information?

We obtain personal and financial information directly from you, or indirectly from our credit intermediaries, your service providers, credit reference agencies, fraud prevention agencies or similar companies who carry out identity, verification or other checks.

Why do we need this information and what do we do with it?

We will use your data to carry out regulatory and due diligence checks before, and during the setup of a financial agreement option, including credit reference agency checks which may leave a ‘footprint’ on your credit file. This means that the credit reference agency will add details of our search to your CRA record, which will be seen by other organisations making searches (for example other lenders or providers of credit).

For more information about how we process your personal data, please refer to part D of your credit agreement.

Do we share your personal information with other organisations or third parties?

We may share your personal information with various third parties including (but not limited to) the following: 

• Credit reference agencies 

• Collection and recoveries agencies

• The Police and fraud prevention agencies or other regulatory authorities or government agencies

• Debt collection agents

• Agents and advisers who we use to help run your accounts and services

• Any intermediary

• Any service provider

• HM Revenue & Customs, regulators and other authorities 

• If you have a debit, credit or charge card with us, we will share transaction details with companies which help us to provide this service (such as Visa and Mastercard)

• Our professional advisors and our auditors

How can you see what personal information we hold about you?

Personal information we hold about you can be requested by completing the following form.

Data Subject Access Request Form

For how long will we keep your personal information?

We will keep your personal information for as long as we need it to fulfil the purposes for which it was collected. We will keep personal information after that in order to comply with legal and regulatory requirements. If you would like further information about our data retention practices, please contact us.

Can you ask us to delete the personal information we hold about you?

Yes, you may request us to delete your personal information by submitting a request to DataProtectionOfficer@pcl.co.uk

Please note your request to delete your personal information will be refused where it is lawful and permitted to do so under data protection law, such as where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims.

Is your personal information safe?

We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it’s held. If we outsource any processes, we will ensure the supplier has appropriate security measures in place and they will be required to comply with GDPR.

How can you contact us?

If you have any questions or queries about the personal information we collect, process and store about you, you can contact us in writing to The Data Protection Officer, Premium Credit Ltd, Ermyn House, Ermyn Way, Leatherhead, Surrey KT22 8UX or by telephone: 0344 736 9836. Alternatively please visit the ‘my support’ pages of our website at http://www.support.mypremiumcredit.com/ where you can choose from a number of options including ‘Changing my details’ or ‘Contact us’.

Where can you find more information?

For more information about how we process your personal data, please refer to part D of your credit agreement. 

How we use your personal information

Personal information means any information relating to an identified or identifiable natural person.  This includes data which either by itself or with other data held by us or available to us, can be used to identify you.  Your personal information comprises personal and financial information that we have obtained from you, the Intermediary(s), your Service Provider(s), credit reference agencies, fraud prevention agencies or similar companies who carry out identity, verification or other checks.  We collect your personal information directly from you and we obtain it indirectly from these other sources.  We also keep information about the conduct of your Account and any communications between us. 

By entering into this Agreement you confirm that all information provided to us or to the Intermediary(s) by you or on your behalf, and either as part of your application for credit or at any time afterwards, is true, complete and accurate in all respects.  If your personal information such as your marital status, contact details, or home address changes you must inform us without delay.  See ‘Contact us’ below.

Personal information also includes special categories of personal data.  This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation (as relevant).  We do not usually ask you for this type of information nor do we obtain it from third party sources (such as the Intermediary(s)).  The exception is data concerning your health – this may be processed if you volunteer this information when we ask you about the conduct of your Account, for instance, if you tell us that you are unable to meet repayments because you have a health condition.  Personal information also includes criminal convictions and offence details and we may process these if fraud prevention agency checks reveal a fraud or if we identify a fraud on your Account.  

 

What we may use and process your personal information for and the legal basis for our use and processing

We are required by data protection law to indicate to you the legal basis which relates to our use and processing of your personal information.  This may include (as relevant):

  • Processing that is necessary for performance of a contract (in particular, this Credit Agreement) or in order to take steps at your request prior to entering into a contract
  • Processing that is necessary for our own legitimate interests or those of third parties provided these are not overridden by your interests and fundamental rights and freedoms – such as: (a) to protect our business information, our premises and our staff; (b) for management and audit of our business operations including auditing; (c) for market research and analysis including developing statistics (we may anonymise your personal information prior to this – see below); (d) to administer your Account and to provide customer service and support functions including those made available on our website and over the telephone; (e) for direct marketing (subject always to your consent, where that is required); (f) when there is a sale or reorganisation of our business assets (in that scenario purchasers may be able to obtain personal information from us where necessary for their own legitimate interests of preparing for completion of the sale or reorganisation); (g)  for systems or other testing and analysis to help us with systems and product development (we may anonymise your personal information prior to this – see below); (h) for the monitoring purposes described below; and (i) for our corporate governance related purposes including compliance oversight and sample checking.
  • Processing that is necessary to comply with a legal obligation (other than a contractual obligation) – such as: (a) to process your request for information or when you exercise your rights against us under data protection law; (b) for compliance with legal and regulatory requirements; (c) for establishment and defence of legal rights; (d) for activities relating to the prevention, detection and investigation of crime; (e) to verify identity/ies; and (f) to perform checks at credit reference agencies and fraud prevention agencies. 
  • Processing that is based on your freely given, specific, informed and unambiguous consent – such as: (a) when you consent to direct marketing; (b) when you give your explicit consent in relation to data concerning your health if you volunteer this information when we ask you about the conduct of your Account; and (c) when you specifically request that we share your personal information with a third party such as your next of kin or another person to whom you have given a power of attorney in connection with the credit you have obtained from us.  You are entitled to withdraw your consent at any time.  If you do this and if there is no alternative lawful reason which justifies our processing of your Personal Information for a particular purpose, this may affect what you are entitled to receive from us. For instance, if you withdraw your consent to direct marketing, we will stop using it for that purpose and we will not inform you about our other products and services unless you alter your preferences again in future. 

Credit scoring and checks at credit reference agencies

This information is condensed.  For full details about our sharing of your personal information with the credit reference agencies (CRAs) please contact us (details below).

We may use your personal information to help us assess your eligibility for credit as part of your application for credit and, if you obtain credit, in managing your Account, as well as to confirm and verify your identity and other details, and by entering into this Agreement you agree that we may:

(a) search your records at CRAs when you first enter into this Agreement and periodically during the term of this Agreement such as if you apply to increase the credit amount. These searches will tell us about your credit history.  When the CRAs receive a search from us they will place a footprint on your credit file and in this way they will add to their record about you details of our search which will be seen by other organisations making searches (for example, other lenders or providers of credit).  These details will be used by those other organisations when assessing your applications for credit.  Credit searches and other personal information about you which we provide to the CRAs will be used by the CRAs and shared with those other organisations to trace your whereabouts, recover debts that you owe and to verify your identity.  Records remain on file at the CRAs for 6 years after they are closed, whether settled by you or defaulted.  We, the Intermediary and a Service Provider may use information about you and the conduct of your Account to help make credit, credit-related and Service-related decisions about you or to trace debt and to fight fraud, money-laundering, terrorism and other crimes and to keep to any laws or regulations in any country;

(b) use a credit scoring or other automated decision-making system (this means that we will do automated credit scoring using details obtained from you, the Intermediary, and from the CRAs, to make decisions without human intervention based on about whether or not you are likely to meet the repayments on your Account – we will do this when assessing your application for credit and periodically after that if you apply to increase your credit limit then a decision will be taken based on the credit score).

Linked records

If you tell us that you have a spouse or financial associate, which creates a joint financial unit in a similar way to a married couple – for example if you share the same address, we may search, link and/or record information at the CRAs about you both; link any individual identified as your financial associate in our own records, take both your and their information into account in future applications by either or both of you; and continue this linking until one of you notifies us that you are no longer in a financial unit together.  Information held about you by CRAs may be linked to records relating to any such person.  When we search for information about you at credit reference agencies we may also search for information about the people with whom you are linked, and use that information about you when deciding whether or not to go ahead with this Agreement.  We may also use information about you when making a decision about a person with whom your records are linked.    

Whether or not we go ahead with this Agreement your records may become linked to any person revealed to be linked to you by this Agreement (for example a joint applicant).  When the CRAs receive a search from us they will link together your records and these links will remain on their files until such time as you or the other person successfully files for a disassociation at the CRAs.  If your circumstances change such that you are no longer a financial unit with another person you should contact the CRAs about this.

Obtaining details of credit reference agencies and copies of your data

You can contact us by writing to us at Premium Credit Ltd, Ermyn House, Ermyn Way, Leatherhead, Surrey, KT22 8UX to request:

(a) details of the credit reference agencies we use (as mentioned above, you will need to contact the credit reference agency directly about the information they hold about you for which you will have to pay them a fee); and

(b) a copy of the personal information we hold about you (further details below on this – see “Your rights under applicable data protection law”). 

The CRAs operating in the UK are CallCredit, Equifax and Experian.  You can contact them to find out what information they hold about you.  The information they hold may not be the same so you may wish to contact more than one.  They are entitled to charge a small statutory fee. The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, their data retention periods and your data protection rights with the CRAs are explained in more details at the websites below:

Checks at fraud prevention agencies
 
We will check your personal information with fraud prevention agencies (FPAs) when you first enter into this Agreement and periodically during the term of this Agreement such as if you apply to increase the credit amount.  If false or inaccurate information is provided and fraud is identified details will be passed to FPAs.  Law enforcement agencies may access and use this information.  We and other organisations may use this information to prevent crime including fraud and money-laundering, for example when checking details on applications for credit related or other facilities, managing credit and debt related accounts or facilities and recovering debt.   
 
Monitoring
 
We may monitor and record telephone calls and monitor email communications with you for the purpose of quality control, security and training, resolving complaints and/or to evidence the nature and contents of such conversations.  In addition, we may do this where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business and to prevent or detect crime. 
 
Data anonymisation and use of aggregated information
 
We may convert your personal information into statistical or aggregated form to mean you are not identified or identifiable from it.  We may use this aggregated data to conduct research and analysis and to produce statistical research and reports.  For instance, this may help us to understand how many of our customers’ Accounts are in arrears at any given time.  Aggregated data may be shared with our affiliates.
 
Who we may give your personal information to
 
We may give information about you, your Account (including, where relevant, the bank details we hold) and the conduct of your Account to credit reference agencies and fraud prevention agencies (see above), any Intermediary (including an Intermediary who no longer acts for you or an Intermediary to whom you have transferred including by your own volition or as part of a business sale), any Service Provider, any agent or administrator acting on our, an Intermediary or Service Provider’s behalf, any wholesale intermediary that arranges the Service from a Service Provider on behalf of an Intermediary, any network, cooperative or similar association which an Intermediary is a member of, any of our suppliers (this would include for instance IT software providers and providers of IT support services), debt collection agents, any party to which we transfer, assign or charge this Agreement or our interest in this Agreement (or any party to who we are considering transferring, assigning or charging this Agreement or our interest in this Agreement) and their insurers and advisers, or any third party from whose bank accounts you make payments from under the Agreement (we may provide a copy of this Agreement to your bank, in this way, to evidence that we are able to take payment from your account).  We may disclose your personal information where necessary to providers of indemnity insurance to our business. 
 
We may also give information to the police, fraud prevention agencies or other regulatory authorities, government agencies if required to do so by law or where we are required to do so in response to requests from all such persons, or if you give us false or inaccurate information and we suspect fraud (further details above).  We will disclose it where compelled to do by the Courts and for the administration of justice.
 
We may share your personal information with our professional advisors and our auditors.    
If you have more than one agreement with us, we may hold and update information relating to your name, address and contact details on our central database and disclose such information to any organisation who submits an application for credit to us on your behalf for the purposes of such application and any related agreement, so they can update their records about you to continue providing you with services, identify products and services which might be suitable for you, recover amounts owing from you and to prevent fraud. 
 
Transfers outside the EEA
 
We may transfer your personal information to countries outside of the European Economic Area which do not have adequate protections for personal information under their own applicable laws.  For instance, this may happen if we use service providers.  Where we transfer your data outside the EEA we will only do so in accordance with our obligations under applicable data protection law.  Steps will be taken to put in place safeguards (including around security) to protect your personal information when it is outside the EEA.  
 
Safeguards may include the Standard Data Protection Clauses (also known as EU Model Clauses). You can find out what these are here:  http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm. Transfers may also happen based on the US Privacy Shield.  Details here:  https://www.privacyshield.gov/welcome. You can contact us for a copy of EU Model Clauses.
 
Retention period or criteria used to determine the retention period
 
We will keep your personal information for as long as we need it to fulfil the purposes for which it was collected (see above).  We will keep certain personal information after that in order to comply with legal and regulatory requirements.  The criteria we use to determine data retention periods for Personal Information includes the following:
  • Retention in case of queries.  We will retain your personal information in case of queries from you about your Account;
  • Retention in case of claims.  We will retain your personal information for the period in which you might bring claims against us in connection with this Agreement;
  • Retention in accordance with legal and regulatory requirements.  We will retain your personal information after the periods described above as necessary in order to comply with our regulatory compliance obligations.  

If you would like further information about our data retention practices you can ask for this at any time (contact details below).

Your rights under applicable data protection law
There are various rights under data protection law and these will not always be relevant to you.  We have described below what the rights are but please do be aware that they will not be engaged in all circumstances.  If you wish to exercise any of these rights please contact us (details below).
  • The right to obtain access to personal data that we hold about you and certain prescribed information about how we process it.  This is more commonly known as submitting a “data subject access request” – you must do this in writing and the purpose of this right is to enable you to obtain confirmation that your data is being processed, access to your personal data, and other supplementary information about how it is processed, all this is to ensure you can be aware of and can verify the lawfulness of the processing.
  • The right to obtain from us without undue delay the rectification of inaccurate personal information concerning yourself and to have incomplete personal data completed in certain circumstances.
  • The right to obtain from us the erasure of personal information concerning yourself without undue delay in certain circumstances (also known as the “right to be forgotten”).  This right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected.  Circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed, when consent is withdrawn (if relevant), when the individual objects to processing and there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation.  Erasure requests will be refused where that is lawful and permitted under data protection law such as where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims.
  • The right to obtain the restriction of processing of your personal information may be relevant if you contest the accuracy of your personal information and its accuracy is being verified; when the processing is unlawful and you request that use of the personal information is restricted and where you do not want erasure instead; or when we no longer need to process the personal information but you require the personal information to be retained in case of future legal claims.
  • The right to data portability where the personal information is processed by us based on a consent or on a contract and by automated means (as relevant).  This right allows individuals to obtain and reuse their personal information for their own purposes across different services without hindrance to usability.  It is important to understand that this right is different from the right of access (see above) and this means that the types of information that you can receive through the right of portability are different to the types you could receive under the right of access.  Under data portability you can only receive personal information where it is processed based on your consent or explicit consent in the case of special categories of personal information, or processing that is happening based on it being necessary for performance of a contract (such as this Agreement) or in order to take steps at your request prior to entering into a contract, and where the processing is carried out by automated means.  This means that you are not able to obtain through the data portability right all of the personal information that you are able to obtain through the right of access.
  • The right to object to processing of your personal information – this right allows individuals in certain circumstances to object to processing based on legitimate interests, including profiling based on legitimate interests; direct marketing; and processing for purposes of statistics.
  • Rights relating to automated decision making about you including profiling (as relevant) if this has a legal or other significant effect on you as an individual – this right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention. 

Contact us
 
If you have questions or queries about this data protection notice you can contact us by writing to us (see address above) or by telephone 0344 736 9836.  Alternatively, please visit the ‘my support’ pages of our website at http://www.support.mypremiumcredit.com/  where you can choose from a number of options including ‘Changing my details’ or ‘Contact us’.
 
Our Data Protection Officer
 
The contact details of our DPO are available on our website: http://help.premiumcredit.com/Contact-Us/.
 
Your right to lodge complaints with the data privacy supervisory authority
 
Please note that here we mean the Information Commissioner’s Office (details below) – this is entirely distinct from the supervisory authority referenced in the Agreement.  
 
Without prejudice to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the data protection supervisory authority in the UK.  You may do this if you consider that we have infringed the applicable data protection law.  In the UK, the supervisory authority who is empowered to investigate whether we are complying with the data protection law is called the Information Commissioner’s Office.   For more details including how to contact the ICO please visit its website: https://ico.org.uk/