AFFINITI FINANCE LIMITED PRIVACY STATEMENT & POLICY
OUR PRIVACY COMMITTMENT & LEGAL OBLIGATIONS
Affiniti Finance Limited is wholly committed to treating you fairly and protecting your privacy relating to your personal information, and how it is processed and used, and we will only process and use your personal information in accordance with the current data protection law in the United Kingdom, as set out in this Privacy Statement and Policy.
We consistently seek to ensure that we operate our Privacy Statement and Policy within a context of lawfulness, fairness and transparency. We will seek to ensure that our policies comply with the following principles:
- Processing must be lawful and fair.
- The processing purposes must be specified, explicit and legitimate.
- Personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
- Personal data must be accurate and, where necessary, kept up to date.
- Personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisation measures.
As a result of the European Union’s General Data Protection Regulation (“ GDPR”) which became enshrined in UK law as a result of the Data Protection Act 2018 (“DPA”) and the enabling Regulation, “Personal Data” is defined (under section 3 of the DPA) as meaning:
“… any information relating to an identified or identifiable living individual by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
DATA CONTROLLER and PROCESSOR
A Data Controller is defined, in sections 3 and 32 of the DPA, as the individual or legal person who controls and is responsible for keeping and using personal data in paper or electronic files.
A Data Processor means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).
Affiniti Finance Limited is the Data Controller, as defined by relevant data protection laws and regulation.
Processing is broadly defined to include obtaining, recording, holding, using, disclosing or erasing data (section 1(1), DPA).
The necessary conditions for lawful processing are set out in Article 6 of the GDPR and section 8 of DPA.
One or more of the following six conditions must apply, each and every time personal data is to be processed:
- The processing has been done with the “freely given, specific, informed and unambiguous” consent of the data subject for one or more specific purposes. In this instance, you will have given Affiniti Finance Limited your informed consent for your personal data to be processed for a specific purpose.
- It is necessary for entering or the performance of a contract to which the data subject is party. In this instance, the processing is necessary for a contract you have with Affiniti Finance Limited, or Affiniti Finance Limited has asked you to take specific steps before entering into a contract.
- It is necessary for compliance with a legal obligation to which the controller is subject. This would mean that the processing is necessary for Affiniti Finance Limited to comply with the law; though not including contractual obligations, which are dealt with at paragraph 2, above.
- Is necessary for protecting the vital interests of the data This would occur where processing is necessary to protect your vital interests, such as your life.
- Is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed (see Section 8, Data Protection Act 2018 for public interest grounds).
- Is necessary for the purposes of the legitimate interests pursued by the controller or a third party except where those interests are overridden by the interests or fundamental rights and freedoms of the data. In such circumstances, the processing is necessary for Affiniti Finance Limited’s legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
THE PERSONAL DATA THAT CAN BE COLLECTED
We may collect and process various types of personal data about you including, but not limited to: Personal information, such as name and address, telephone number, passport number, email and Internet Protocol address; your password for password protected platforms or services used by us; gender and family details; lifestyle and hobbies; employment and education and training data; information collected from publicly available resources, integrity data bases and credit agencies; health-related information; financial information, including bank details; criminal record checks, contractual information (for example, goods and services provided to or by you, as the data subject) and information about relevant and significant litigation or other legal proceedings brought by or against you or a third party related to you (corporate or individual) and any relevant connection with you.
HOW WE OBTAIN YOUR PERSONAL DATA
We may collect personal data about you in a number of circumstances, including (but not limited to) when you or your firm, company or organisation:
- seek funding for litigation purposes;
- are a party to a litigation case being considered for funding, or are funded, by Affiniti Finance Limited;
- browse, make an enquiry or otherwise interact with us, on our website;
- attend any Affiniti Finance Limited conference or seminar;
- sign up to receive any information from Affiniti Finance Limited;
- offer to provide services to Affiniti Finance Limited.
In some circumstances, we may collect personal data about you from a third-party source. For example, we may collect personal data from your firm, company or organisation, other firms, companies or organisations with whom you have dealings, government agencies, credit reporting agencies, and an information or service provider or from publicly available records.
WHY WE COLLECT PERSONAL DATA
The information we collect helps us to better understand your needs and requirements and provide you with a better service, in particular for the following reasons:
- to inform decisions about future business strategies;
- to advise and inform funding decisions;
- to assist in managing funding;
- for internal record keeping;
- to generally improve our products and services;
- to meet our regulatory and legal obligations, such as knowing you as our client or potential client, GDPR, anti-money laundering and fraud prevention;
- to send emails, texts and letters to you about our products/services, events or other information which we think you may find interesting, using the contact details you will have provided to us. You can change your mind on how you receive these messages or choose to stop receiving them at any time. Even if you tell us to not use a particular method of communication we will continue to use your other contact details to provide you with important information about our funding and or we need to tell you something to comply with our regulatory obligations.
THE PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
We may use your personal data for the following purposes only (“Permitted Purposes”):
- to evaluate, supervise and manage our funding of litigation cases;
- to evaluate and manage our funding;
- to aid in managing our investor relationships;
- to provide any services requested by you or your firm, company or organisation;
- to manage and administer your or your firm’s, company’s or organisation’s business relationship with Affiniti Finance limited, including administering payments, accounting, auditing, invoicing, compliance and all collection and necessary support services;
- to comply with investigation and screening or recording obligations (e.g. anti-money laundering, fraud and crime prevention purposes), which may include automated checks of personal data or other information you provide about your identity against applicable sanction lists, whilst conducting business;
- to analyse and improve our services and communications;
- to protect the security of, and administer access to, our premises, IT and communication systems, online platforms, websites and other systems, preventing and detecting security threats, fraud or other criminal or malicious or wrongful activities;
- to identify persons authorised to instruct Affiniti Finance limited and sign any relevant documentation;
- compliance with our legal and regulatory obligations and requests, domestically and anywhere in the world, including reporting to and/or being audited by national and international regulatory bodies;
- compliance with court orders and applications and/or so as to uphold or defend our legal obligations and rights;
- keeping you up to date on the latest announcements, events and other new information which we feel might be of interest to you;
- any customer surveys and marketing campaigns or other promotional activities or events;
- collecting information about your preferences to create a user profile to personalise our communication and interaction with you.
YOUR RIGHTS WHICH ARISE IN RESPECT OF YOUR PERSONAL DATA
- The right to request subject access.You, as the data subject, shall have the right to obtain from us, as the data controller, confirmation as to whether or not personal data concerning you is being processed. Where such data is being processed, you have the right to be provided with the following information:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations.
- Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period.
- The existence of the right to request from us, as the data controller, rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
- The right to lodge a complaint.
- Where the personal data is not collected from you, the data subject, any available information as to its source.
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you as the data subject.
- The right to rectification. This is the right to accuracy. This means that you will be able to request us, as the controller, to correct inaccurate personal data, and to obtain completion of incomplete personal data.
- The right to erasure or right to be forgotten. We, as the controller, shall communicate any rectification or erasure of personal data carried out in accordance with the DPA to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
- The right to restriction of processing. We, as the controller, shall communicate any restriction of processing carried out in accordance with the DPA to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
- The right to be informed. We, as the controller, shall inform you, as the data subject, about those recipients if the data subject requests it, in accordance with the DPA.
- The right to data portability. You have the right to have provided to you or other controllers, free of charge, a copy of your personal data in an electronic and structured format that allows for further use by the data subject. The statute states that the right only applies in the following circumstances:
- Where you have provided the data to the controller.
- That you, as the data subject, have given your consent to the processing, or the processing is based on the performance of a contract.
- The processing is carried out by automated means
Where technically feasible, you as the data subject can request to have the data transmitted directly from one controller to another. The right of data portability shall not adversely affect the rights and freedoms of others. We, as controller, will respond without undue delay and at the latest within one month, although this can be extended to two months where the request is complex.
- The right to object. You have a right to object, based on grounds relating to your particular situation, to our data processing activities (including profiling): (i) carried out in the public interest or in the exercise of official authority vested in the controller, and (ii) carried out on the basis of a legitimate interest of the controller. We, as the controller, must stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you, as the data subject, or for the establishment, exercise or defence of legal claims.
You also have the right to object to processing for direct marketing purposes and you are not required to indicate specified justifications.
- The right not to be subject to a decision based solely on automated processing. The DPA includes rights in relation to processing that involves automated decision-making. At any time by written notice, you may require us, as the data controller, to ensure that no decision significantly affecting you is based solely on the automated processing of your personal data for the purpose of evaluating matters relating to you (such as creditworthiness or employment or business status). This right will not, however, apply where the decision concerns entering into or performing a contract with the individual and the decision has the effect of granting a request of the individual (for example, the individual is granted the loan applied for) or steps have been taken to safeguard his legitimate interests (for example, the individual is given the opportunity to make representations).
In certain circumstances, you, as the data subject, have the right to an explanation as to how any automated decisions taken about you have been made. This right arises where any automated processing is the sole basis for a decision which significantly affects you. In this case, you will have the right to be informed by us, as the data controller, that the decision was made on that basis and to require us to reconsider or take a new decision on another basis.
RIGHT OF ACCESS TO YOUR PERSONAL DATA
Information is stored by Affiniti Finance Limited on its computers, which are located in the United Kingdom. Affiniti Finance Limited has security policies in place to manage and record your data privacy lawfully, and to ensure that your data is stored securely to protect against its loss, misuse and alteration.
In addition, Affiniti Finance Limited takes all practicable steps to ensure that any businesses with which we share your data will have compliant security policies in place to lawfully manage and record your data privacy and that your data will be properly stored, in accordance with the DPA and GDPR.
THE RIGHT TO DISCLOSURE OF YOUR PERSONAL INFORMATION
As an authorised and regulated financial service provider of litigation funding, we often have to disclose client details to other organisations, including, for example, to credit-reference agencies. Although an individual’s financial information is not classified as sensitive personal data, it will be considered personal data and as such it will be processed in compliance with the DPA and the eight data protection principles, as set out above. Accordingly, we may exchange your personal information with certain third parties to assist in managing, administering and executing services including, but not limited to:
- That which is required by law or in the public interest.
- That which is required by our interests as the lender.
- That which is made with your express or implied consent.
- Our accountants, solicitors, actuaries, valuers and insurers.
- Businesses who are upgrading and maintaining our information technology system and providing information technology services.
- Authorised financial service institutions, such as banks and building societies.
- Businesses undertaking verification services.
- Businesses undertaking reviews of the accuracy of our information.
We may disclose your Personal Data to third-parties (outside of Affiniti Finance Limited) if, but only when, we have a legal basis to do. Such recipients include, but are not limited to: legal counsel, solicitors/barristers/experts/foreign law firms whom may be instructed on your behalf; Affiniti Finance Limited’s insurance brokers and underwriters; Affiniti Finance Limited’s bank, auditors and accountants; Affiniti Finance Limited’s outsourced IT providers and other suppliers; HMRC; the Solicitors Regulation Authority; the Law Society; the Financial Conduct Authority; the Information Commissioner’s Officer the Home Office and Passport Services.
WHERE WILL MY PERSONAL DATA BE PROCESSED?
As a data controller, Affiniti Finance Limited will retain all your information inside the European Economic Area (EEA). In circumstances where Affiniti Finance Limited may transfer your data to a third party, we will seek to ensure that the third party processes your data inside the EEA, or has been allocated an “adequacy” rating by the European Commission.
THE LENGTH OF TIME WE WILL KEEP YOUR PERSONAL DATA
We will not retain your personal data for longer than necessary and we will hold it only for the purposes for which it was obtained. The length of time we retain your personal data will depend on the purposes for which we use it and/or for as long as is necessary to comply with applicable laws and to establish, exercise or defend our legal rights.
HOW YOU MAY OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA
Where permitted by applicable law or regulation, you have the right to object to us processing your personal data or to tell us to stop processing it (including for purposes of direct marketing). Once we have received this request, we shall no longer process your personal data unless permitted by applicable laws and regulations.
WEBSITE COOKIES POLICY
Cookies are small text files that are placed on your computer, smartphone or other device when you access the internet.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you should be able to modify your browser setting to decline cookies, if you wish. This may prevent you from taking full advantage of the website.
We only use website cookies that help us to measure how users interact with our website content. None of the cookies we use collect your personal information and they cannot be used to identify you.
They also ensure that if you unsubscribe, we do not email you again. If you have enabled images, cookies may be set on your computer or device. Cookies will also be set if you click on any link within the email.
The types of cookies we use are:
(i) web beacons, which tell us whether you have opened the email, when, and how often, the location and whether you clicked a link, and
(ii) link tracking, whereby our emails contain a number of hyperlinks, each of which has a unique tag. When you click on one of these links the mailing company logs the click so that we can understand who has clicked through from an email to our website. We use this information to judge the effectiveness of our mailings.
(iii) necessary cookies, which help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
(iv) statistic cookies, which help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Our website may contain links to other websites of interest. However, once you use these links and leave our site, please note that we do not control the other website(s) and cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.
Such sites are not governed by this privacy statement. We recommend you exercise caution and look at the privacy statement applicable to the website(s) in question.
REVIEWING AND UPDATING THIS PRIVACY STATEMENT AND POLICY
This privacy statement and policy was last updated in May 2020.
HOW TO CONTACT US
If you have any enquiries or questions about how we obtain or use your personal data, you can write to us at the address below, or contact us by email or telephone as follows:
Affiniti Finance Limited, The Meadows, Church Road, Dodleston, Chester, CH4 9NG.
Telephone: 0800 030 6694/01244 295007
APPEAL & REVIEW
If you are not satisfied with our response to any complaint you might have made, or if you believe our processing of your information does not comply with the relevant data protection law, you can make a complaint to the Information Commissioner’s Office (“ICO”) at the following address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Telephone: 0303 123 1113
The Commissioner is responsible for enforcing the regime under the DPA. However, the Commissioner encourages individuals concerned about the use of their personal data to contact the relevant data controller in the first instance. If the data controller fails to respond appropriately (or at all) to complaints or requests, the data subject may then make a complaint to the Commissioner or, in certain circumstances, go directly to the courts to enforce his rights.
In particular, an individual has a right, where he believes himself to be directly affected by the processing of personal data, to make a request to the Commissioner for an assessment on whether the processing complies with the DPA (section 42). On receiving such a request, the Commissioner is obliged to carry out the assessment (which may include serving an information notice on the data controller requiring it to provide information to assist the Commissioner in making the assessment), and to notify the person making the request whether an assessment has been made and of any view formed or action taken as a result.
Where it finds a breach of the DPA, the Commissioner may serve data controllers with:
- Information notices, requiring data controllers to provide information about their processing operations (unless the information is self-incriminating or the subject of legal privilege).
- Special information notices.
- Enforcement notices, requiring data controllers to comply with the data protection principles.