Loans from Hastings Direct - Privacy Notice
Introduction
Your privacy's important to us and we go to great lengths to protect it. This privacy notice tells you about the personal data we hold about you and it explains how we may collect, use and share your details and tells you about your rights under data protection laws.
About Hastings Group Holdings Limited
Here at Hastings Group Holdings Limited, we'll always treat your personal data with respect and our products and services are designed with your privacy in mind. Hastings Group Holdings Limited includes the data controllers: Hastings Financial Services Limited and Hastings Insurance Services Limited ("HISL"). You can find HISL's privacy notice here.
1. About Hastings Financial Services Limited
We are Hastings Financial Services Limited (also referred to as 'Hastings', 'we', 'us' or 'our') and our registered office is at Conquest House, Collington Avenue, Bexhill-on-Sea, and East Sussex TN39 3LW. We trade under the name of Hastings Direct and our ICO registration number is ZB350021.
2. What we mean by personal information
“Personal information” means information that relates to you as an individual, whether linked to your name or any other way which you could be identified, such as your Loan account number.
Certain types of personal information are considered to be “special categories of information” due to their more sensitive nature. Sometimes we will ask for or obtain special categories of information because it is relevant to your Loan application. This Privacy Notice highlights where we are likely to obtain special categories of information, and the basis on which we process this data. We will only process special categories of information where they are relevant.
Special categories of information are Information about your health, criminal convictions, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
3. How we use your personal information
The personal information that we collect will depend on our relationship with you. We have included a number of sections below – simply read those which most apply to your relationship with us.
If you provide personal information to us about other people you must provide them with a copy of this Privacy Notice, and obtain relevant consent from them where we have indicated in this Privacy Notice that we need it.
3.1. If you have taken out a quote for a loan
This section shows what personal information we collect about you and use if you are a prospective customer and have submitted your personal information so that we can provide you with a quote for a loan. This includes your use of a price comparison website to gain a quote from us.
What personal information will we collect and where will we collect it from?
We collect the following information provided by you by phone or web:
- Individual details: Your name, address, former addresses, contact details (e.g. email / telephone), gender, marital status, date of birth, nationality, length of time as a UK resident
- Employment information: Your job title and the nature of the industry you work in
- Income and household financial information including household dependents and bank account details
- Criminal convictions which are unspent under the Rehabilitation of Offenders Act
- Marketing preferences: Whether you have requested or not to receive marketing information
- Website usage, including cookies: See section below for details
- Other information: Information we capture during recordings of our inbound and outbound telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us (we will not further process these without your explicit consent)
Before we provide services or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you. We use external sources to supplement and verify the information above, and also to provide the following new information:
- Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, information received from various anti-fraud databases and information about the device you are using. Some of this information (e.g. criminal offences) may include special categories of information relating to you.
- Demographic data: Lifestyle indicators such as income, education, and size of your household
- Open Banking data: With your consent, details about your income and banking transactions provided under the Open Banking initiative
- Open source data: Other information about you which is publicly available
The external sources that provide us with information about you include:
- The applicant
- Other third parties involved in the loans application process (such as the price comparison website used, or loan brokers)
- Credit reference agencies
- Providers of demographic data and vehicle data
- Account Information Service Providers enrolled in the Open Banking Initiative
- Financial crime detection agencies and lending industry financial crime databases (such as for fraud prevention and checking against international sanctions)
- Government agencies and regulators (e.g. Financial Conduct Authority)
- Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles) and sources licenced under the Open Government Licence v 3.0
What will we use your personal information for?
We may process your personal information for a number of different purposes. We must have a legal basis for each purpose, and we will rely on the following bases:
- We need your personal information because it is necessary to enter into or perform a contract (e.g. you request a quote with a view to entering into an loan agreement)
- We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and/or develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
- We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators)
For special categories of information, we must have an additional legal basis for processing. We will rely on the following:
- You give us explicit consent to use this type of information
- It is in the substantial public interest and it is necessary to prevent and detect an unlawful act (e.g. fraud)
- To establish, exercise or defend legal claims (e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves)
The table below outlines the types of processing we will undertake and our legal basis for each type of processing.
Type of Processing | Basis for using personal information | Basis for special categories |
---|---|---|
To assess your loan application and provide a quote | To enter into or perform a contract | We will not process your special categories of information for this purpose |
To verify your identity, carry out fraud, credit and anti-money laundering checks | To enter into or perform a contract | Substantial public interest to prevent or detect unlawful acts |
To communicate with you and resolve any complaints that you might have |
|
|
To comply with our legal or regulatory obligations | We have a legal or regulatory obligation | To establish, exercise or defend legal rights |
To ensure that we consider any customers who may be in a vulnerable circumstance | We have a legitimate interest (to ensure a consistent service to all of our customers and that all customers are treated equally) | You have given your explicit consent |
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys) | We have a legitimate interest (to develop and improve our products and services) | We will not process your special categories of information for this purpose |
Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance) | We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business) | We will not process your special categories of information for this purpose |
For use by the Hastings Group Holdings Limited entities for administration and business improvement purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, product development, risk assessment and costs and charges | We have a legitimate interest (to develop and improve our products and services) | We will not process your special categories of information for this purpose |
To send you marketing materials about our products and services (with your permission) | We have a legitimate interest (to market our products) | We will not process your special categories of information for this purpose |
Whom will we share your personal information with?
On occasion, we will share personal information with the following third parties for the purposes laid out in the table above:
- The loan applicant
- Credit reference agencies
- Providers of demographic data
- Other entities within Hastings Group Holdings Limited
- Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions)**
- Government agencies and bodies such as the HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
- Other third parties involved in the loans application process (such as the price comparison website used)
- Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, subcontractors, and any outsourced service centre providers
- The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime
- Selected third parties in connection with any sale, transfer or disposal of our business
3.2. If you have a loan with us
What personal information will we collect and where will we collect it from?
In addition to the information provided to us by you in section 3.1 above when a quote is provided, we will obtain information about you during the lifetime of your loan. This information includes:
- Financial information: Bank and payment information
- Additional identification details: This may include items to verify your identity, residency, marital status and address. All of this information will be obtained from you, but can contain special categories of information (e.g. a driving licence details may show details of any motoring convictions). In some situations further information and/or copies outlined above may be requested to validate your identity
We use external sources to supplement and verify the information above, and also to provide the following new information:
- Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you
- Demographic data: Lifestyle indicators such as income, education, and size of your household
- Open source data: Unstructured data which is in the public domain, when proportionate to do so this will including social media, about you, or the circumstances of any accident
The external sources that provide us with information about you include:
- Third party suppliers we appoint to help us to carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
- Credit reference agencies
- Providers of demographic data
- Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions)**
- Lending industry bodies and databases
- Government agencies and bodies such as the, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
- Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media) and sources licenced under the Open Government Licence v 3.0
- The police, HMRC and other crime prevention and detection agencies
What will we use your personal information for?
We may process your personal information for a number of purposes. For each purpose, we will rely on one or more of the following legal bases:
- We need your personal information because it is necessary to enter into or perform a contract (e.g. the loan agreement)
- We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
- We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators)
For special categories of information, we must have an additional legal basis for processing. We will rely on the following:
- You give us explicit consent to use this type of information.
- It is in the substantial public interest and it is necessary: to prevent and detect an unlawful act (e.g. fraud)
- To establish, exercise or defend legal claims (e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves)
The table below outlines the types of processing we will undertake and our legal basis for each type of processing.
Type of Processing | Basis for using personal information | Basis for special categories |
---|---|---|
To verify your identity, carry out fraud, credit and anti-money laundering checks | To enter into or perform a contract |
|
To set up your loan | To enter into or perform a contract | We will not process your special categories of information for this purpose |
To manage and service and answer queries about your loan | To enter into or perform a contract | You have given your explicit consent |
Using loan details to make decisions around new loan applications or extensions | To enter into or perform a contract | We will not process your special categories of information for this purpose |
Using loan data to validate the information you provided us when you took out your loan and to prevent and identify fraud on an ongoing basis |
|
We will not process your special categories of information for this purpose |
To prevent and investigate fraud on an ongoing basis | We have a legitimate interest (to prevent and detect fraud and other financial crime) |
|
To comply with our legal or regulatory obligations | We have a legal or regulatory obligation | To establish, exercise or defend legal rights |
To ensure that we consider any customers who may be in a vulnerable circumstance | We have a legitimate interest (to ensure a consistent service to all of our customers and that all customers are treated equally) | You have given your explicit consent |
To communicate with you and resolve any complaints that you might have |
|
|
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys | We have a legitimate interest (to develop and improve our products and services) | We will not process your special categories of information for this purpose |
For debt collection purposes | To enter into or perform a contract | We will not process your special categories of information for this purpose |
Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance) | We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business) | We will not process your special categories of information for this purpose |
For administration and business improvement purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, product development, risk assessment and costs and charges | We have a legitimate interest (to develop and improve our products and services) | We will not process your special categories of information for this purpose |
To send you marketing materials about our products and services (where we have your permission to do so) | We have a legitimate interest (to market our products) | We will not process your special categories of information for this purpose |
Whom will we share your personal information with?
On occasion, we will share personal information with the following third parties for the purposes laid out in the table above:
- The account holder
- Providers who may need your information in order to provide a service to you
- The price comparison site used (if any)
- Other entities within Hastings Group Holdings Limited
- Our financiers
- Third party suppliers we appoint to help us to carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
- Credit reference agencies/debt collection agencies*
- Providers of demographic data
- Financial crime detection agencies and loans industry financial crime databases (such as for fraud prevention and checking against international sanctions)**
- Government agencies and bodies such as the, HMRC, Department for Work & Pensions, or professional regulators (e.g. the Financial Conduct Authority in the UK)
- The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime
- Selected third parties in connection with any sale, transfer or disposal of our business
* Information sourced from and shared with Credit Reference Agencies
We will perform initial “soft search” credit checks through one or more Credit Reference Agencies for initial enquiries to help establish suitability and Approval in Principle. Such checks will not affect your credit rating and not be visible to other lenders.
For cases where we are assessing a loan application that will be funded by us a full credit assessment will be made with one or more Credit Reference Agencies. In these cases, the following will apply:
- A customer's loan application may be registered on the customer's credit report under the name Hastings Direct. Should customers require more information on any Credit Reference Agency we work with they can visit the relevant CRA website. We may undertake a search with at least one of the aforementioned agencies when a customer applies for credit, thereby reviewing their credit record as well as anyone financially associated with the customer. The agency will keep a record of this search and may place a “footprint” on the customer's file, whether or not the application proceeds, which is visible to other lenders
- Once a customer takes up a loan product with us, we will report regularly to the CRAs on the customer's payment history. If a customer falls behind on payments and satisfactory proposals are not received within a month of a formal demand being issued, then a default notice may be recorded at the CRAs which may impact the customer's ability to obtain credit in the future
- Information we and other organisations provide to the CRAs may be used by us
and them to:
- help make decisions when checking applications, managing credit related accounts and facilities, recovering debt, checking on insurance claims, checking job applicants
- detect and prevent money laundering, crime and fraud
- verify identity
- trace customers' whereabouts
- undertake research, statistical analysis and system testing
More information about CRAs and how they use personal information is available at:
https://www.TransUnion.co.uk/crain
https://www.equifax.co.uk/crain
https://www.experian.co.uk/crain
** Information sourced from and shared with fraud prevention agencies
Before we provide services, goods or financing to customers, we undertake checks for the purposes of preventing fraud and money laundering, and to verify identity. These checks require us to process personal data about our customers.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to appropriately access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time if you are considered to pose a fraud or money laundering risk.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.
3.3. Use of our website.
What personal information will we collect and where will we collect it from?
We use various software including cookies and tags to improve your digital journey and to identify and prevent fraud. We collect and store information about how you access and use our website (including the website you visited before coming to our websites). We automatically receive the IP address of your computer, mobile device, or the proxy server you use to access the internet and this may include information to identify your browser or device to analyse web traffic.
Fraud prevention cookies collect information about certain features of your device, such as your IP address, device type, browser type, screen resolution and operating system. This is to prevent and detect devices associated with fraudulent or other malicious activity.
What will we use your personal information for?
We may process your personal information for a number of different purposes. We must have a legal basis for each purpose, and we will rely on the following basis:
- We have a legitimate interest to use your personal information such as maintaining our business records, monitoring usage of our website and marketing our services and improving our business model and services. When using your personal information in this way, we have considered your rights and ensured that our business need does not cause you harm
The table below outlines the types of processing we will undertake and our legal basis for each type of processing.
Type of Processing | Basis for using personal information | Basis for special categories |
---|---|---|
Communicating with you and responding to any enquiries you have | We have a legitimate interest (to respond to any enquiries) | We will not process your special categories of information for this purpose |
Monitoring usage of our websites | We have a legitimate interest (to assess usage of our website) | We will not process your special categories of information for this purpose |
To prevent and investigate fraud | We have a legitimate interest (to prevent and detect fraud and other financial crime) | We will not process your special categories of information for this purpose |
4. Our approach to sending your personal data abroad
Sometimes we'll transfer the personal information we collect about you to other countries.
When a transfer happens we'll take steps to make sure your personal information is protected. We'll do this using a number of different methods including:
- Only transferring data to countries that have been deemed by the UK as having adequate privacy legislation, so transferring data to them is considered equivalent to processing within the UK
- Establishing appropriate contracts. We'll use a set of contract wording known as the 'standard contractual clauses' which has been approved by the data protection authorities
- Where data protection allows under Article 49 (for example, where a transfer is necessary in an emergency)
5. Marketing
We take privacy very seriously and will only use your personal information for the purposes laid out in this Privacy Notice. When you have requested a quote or taken a loan from us we may contact you about similar products and services, unless you have opted out.
You may have also given your permission for us to contact you when you visited a price comparison site and obtained a loans quote. This would be because our product featured in the top few providers with the most competitive price and you wished for us to contact you.
You can change your marketing preferences at any time by contacting us using the details available on our website. Please be aware that we have a legitimate interest to be able to contact you with service communications which are for administrative or customer service purposes. This form of contact falls outside of your marketing preferences and must continue in order for us to be able to provide you with a loan effectively. This will never include marketing material and all information will be strictly related to your loan.
6. How long we keep your personal information for
We will keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 3 above and to comply with our legal and regulatory obligations. We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on the purpose for which we collect that information.
7. Automated processing
If a human is involved in the decision at any point then it is not considered an automated decision. Where we have to make a decision about your loan and as part of the agreement decision process we may make decisions using automated processing. The process considers the information that you provide us as well as information from other sources to determine whether your application for a loan can be accepted and the rate of interest charged.
The automated decisions include:
- The application of the pricing and risk models using data we hold about you, to accept or decline your request for a loan and to calculate the rate of interest applied
- Assessing your ability to repay the loan balance and monthly instalments
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the relevant fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
8. Your rights
Under data protection law you have a number of rights in relation to the personal information that we hold about you. You can exercise these rights by contacting us. We will not usually charge you in relation to a request.
The right to access your personal information | You are entitled to a copy of the personal information we hold about you and certain details of how we use it. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible. |
The right to rectification | We take reasonable steps to ensure that the information we hold about you is accurate and where necessary up to date and complete. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it. |
The right to erasure | This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent. Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it. |
The right to restriction of processing | In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information. |
The right to data portability | In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party. |
The right to object to marketing | You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary. |
The right to object to processing | In addition to the right to object to marketing, in certain circumstances you will also have the right to object to us processing your personal information. This will be when we are relying on there being a legitimate interest to process your personal information. In some circumstances we will not be able to cease processing your information, but we will let you know if this is the case. |
The right to withdraw consent | Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information. Please note that for some purposes, we need your consent in order to manage your loan. We will advise you of any issues this may cause at the point you seek to withdraw your consent. |
The right to lodge a complaint with the ICO | You have a right to complain to the Information Commissioner's Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and / or regulations. More information can be found on the Information Commissioner's Office website: www.ico.org.uk. This will not affect any other legal rights or remedies that you have. |
There may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.
9. How we protect your information
The protection of your personal data is important to us. We take a number of technical and procedural measures to protect personal data. For example:
- Where we capture your personal information through our website, we will do this over a secure link using recognised industry standard technology (SSL) which encrypts data that is transmitted over the internet. Most browsers will indicate this by displaying a padlock symbol on the screen
- We prevent unauthorised electronic access to servers by use of suitable firewalls and network security measures. We use strong internal antivirus and malware monitoring tools and conduct regular vulnerability scans to protect our internal infrastructure and also to protect communications we may send you electronically. Our servers are located in secure datacentres that are operated to recognised industry standards. Only authorised people are allowed entry and this is only in certain situations
- We ensure that only authorised persons within our business have access to your data and conduct regular checks to validate that only the correct people have access. We promote responsible access to data and segregate who can see what data within the organisation
- Internally in our organisation, we have password policies in place which ensure passwords are strong and complex and are changed regularly
- We use secure email exchange where necessary for sensitive data and have monitoring on all email we send and receive
- We schedule periodic checks of all security measures to ensure they continue to be efficient and effective, taking into account technological developments
10. Contact us
You may contact our Data Protection Officer if you would like to exercise the rights set out above, or if you have any questions about how we collect, store or use your personal information.
Write to: 'The Data Protection Team' at Hastings Financial Services Limited, Conquest House, Collington Avenue, Bexhill-on-Sea TN39 3LW
or
Email: dataprotection@hastingsdirect.com
11. Updates to this Privacy Notice
We may need to make changes to this Privacy Notice periodically, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally or where we identify new sources and uses of personal information (provided such use is compatible with the purposes for which the personal information was original collected). The Data Protection Officer will ensure that this document is updated regularly or as legislation requires.
Date of last update: 6th October, 2023