Back

Main Privacy Policy/Fair Processing Notice

1. Introduction

1.1.          This Fair Processing Notice (“Notice”) sets out the basis on which we will collect and process your personal data, and that of any third party whose personal data you supply to us, in the course of providing our services to you. It applies to the ultimate beneficial owners of our customers, Fleet Managers, and Nominated Drivers. By using our services, you acknowledge that you have carefully read, understood and accepted the terms set out in this notice. Further notices relating to our processing of your personal data may be provided to you at the point of collection, in the event that additional information is required or processing is undertaken for new purposes.

1.2.          This Notice is intended to explain our privacy practices and covers the following areas:

                2.       About us;

                3.       How we use your personal data:

                           4.       Customer owners

                           5.       Customer contacts

                           6.       Nominated drivers;

                7.       Who we may share your personal data with;

                8.       Processing of Special Categories of Personal Data and Criminal Conduct Data;

                9.       Export of personal data outside of the EEA;

                10.    How we may contact you;

                11.    Your rights;

                12.    Security and data storage;

                13.    Storage limitation;

                14.    Changes to this Notice; and

                15.    How to contact us.

2. About us

2.1.          ALD Automotive Limited t/a Lombard Vehicle Solutions (“ALD”, “we”, “us” or “our”) is a registered data controller. Details of our notification to the data protection regulator may be found in the Information Commissioner's Office Public Register of Data Controllers at www.ico.org.uk under registration number Z5755978. Our registered office address is Oakwood Drive, Emersons Green, Bristol BS16 7LB.

2.2.          This Notice only relates to processing undertaken by or on behalf of ALD. Whilst our websites may contain links to other third party websites, we do not accept any responsibility or liability for those third parties’ policies in relation to any personal data or their collection or processing of any personal data.

3. How we use your personal data

3.1.          The personal data that we collect and process will vary, depending on the relationship we have with you, as we only collect what we need to provide our services. We collect personal data relating to three groups of individuals:

  • Ultimate beneficial owners of our customers, as detailed at paragraph 4 of this Notice;
  • Customer personnel responsible for managing the customer relationship, as detailed at paragraph 5 of this Notice; and
  • Nominated drivers, as detailed at paragraph 6 of this Notice.

4. Customer owners

Personal data we may collect from you

4.1.      We collect the following personal data relating to the ultimate beneficial owners of each of our customers:

  • Name, Address and DOB.

Purposes for processing personal data

4.2.      We collect this data in order that we can undertake credit references and screening checks to ensure our customers’ creditworthiness and good standing, as set out below.

4.2.1.      Anti-sanctions or politically exposed persons searches

We conduct anti-sanctions and politically exposed persons searches against commercial and publically available databases.

4.2.2.      Credit reference checks

When credit reference agencies receive a search from us they may:

  • (if you are a director of the Customer or act as guarantor) place a search “footprint” on your credit file whether or not this application proceeds. If the search was for a credit application the record of that search (but not the name of the organisation that carried it out) may be seen by other organisations when you apply for credit in the future; and
  • link together the records of you and anyone that you have advised is your financial associate including previous and subsequent names of parties to the account. Links between financial associates will remain on your and their files until such time as you or your spouse/partner, or other persons with whom you are linked financially, successfully files for a disassociation with the credit reference agencies.

The credit reference agency will also supply to us:

  • credit information such as previous applications and the conduct of the accounts in your name and of your associate(s);
  • public information such as county court judgments and bankruptcies;
  • electoral register information; and
  • fraud prevention information.

If you are a director of the Customer or act as guarantor, if you are provided with a finance facility and do not repay in full and on time, we may tell credit reference agencies who will record the outstanding debt. These records may be used and shared by us and them to:

  • consider applications for credit and credit related services or other facilities, for you and any associated person;
  • to check details of job applicants and employees; and
  • trace debtors, recover debts, prevent or detect money laundering and fraud and to manage your account(s).

4.2.3.              Fraud prevention checks

We may conduct fraud prevention checks against databases held by fraud prevention agencies. These records may be used and shared by us and them to:

  • help make decisions on motor, household, credit, life and other insurance proposals and insurance claims, for you and members of your household; and
  • to manage credit and credit related accounts or facilities.

4.3.      You have a legal right to obtain details of those credit reference and fraud prevention agencies from whom we obtain and to whom we pass information about you. You also have a right to further details explaining how the information held by fraud prevention agencies may be used. For further information about the use of your personal data by credit reference  agencies, please see here: http://www.experian.co.uk/crain/index.html

Lawful bases (detailed at Appendix 1)

4.4.      We will rely on the following lawful bases in relation to this processing: Contract Performance, Legal Obligation, Legitimate Interests (establishing your credit worthiness and prevention of fraud) and, in limited instances, Legal Claims.

5. Customer contacts

Personal data we may collect from you

5.1.      We collect the following personal data relating to customer personnel responsible for managing the customer relationship with us:

  • Name; and
  • Work contact details.

Purposes for processing personal data

5.2.      We collect this information for the purposes of correspondence in relation to the provision of our services to you.

Lawful bases (detailed at Appendix 1)

5.3.      We will rely on the following lawful bases in relation to this processing: Contract Performance, Legitimate Interests (communicating with you in the course of providing our services) and, in limited instances, Legal Claims.

6.        Nominated drivers

Personal data we may collect from you

6.1.      We collect the following personal data relating to our customer’s nominated drivers (whether from the customer, the nominated drivers themselves or from any third party):

  • Name;
  • Address;
  • Date of birth;
  • Your driving licence details;
  • Criminal offences or convictions;
  • Information about accidents;
  • Your marketing preferences (as to whether you wish to receive communication about the opportunity to purchase the vehicle at the end of the lease);
  • Employee identification number;
  • Email address;

Additionally, where telematics services are used, we may also process:

  • GPS derived location data; and
  • Vehicle behavioural data, e.g. revving, idling, speeding

How and why we process your personal data

6.2.      A summary is set out below of the purposes of processing of your personal data, the third parties it may be shared with, and the lawful bases we may rely on in order to process it. More information about lawful bases can be found at Appendix 1:

6.2.1.      Correspondence relating to the Vehicle or use of the Vehicle

Lawful bases: Legitimate Interests (communicating with you in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer), the Vehicle manufacturer and/or any relevant dealer.

6.2.2.      Managing Vehicle tax, registration and MOT

Lawful bases: Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer) and/or the DVLA.

6.2.3.      Handling traffic or parking infractions (e.g. fines)

Lawful bases: Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with relevant public or private bodies responsible for managing parking arrangements, your employer (our customer) to communicate to you, and/or fines management services, in the event that a fine has been levied.

6.2.4.      Reporting in the event of potential criminal activity

Lawful bases: In relation to any motoring offence that amounts, or may amount, to a criminal offence, we will rely on your explicit consent, as obtained by your employer. Otherwise, we will rely on Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with law enforcement agencies, your employer (our customer) to advise that a Vehicle leased to it may be involved, and the DVLA. This may include the processing of Criminal Conduct Data.

6.2.5.      Providing services in response to an accident or Vehicle damage/loss

Lawful bases: In relation to health information or information relating to any activity that amounts, or may amount, to a criminal offence, we will rely on your explicit consent, as obtained by your employer. Otherwise, we will rely on Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with law enforcement agencies, insurers or impacted parties, in the event of an accident or a potential claim. This may include the processing of special categories of personal data (health information), Criminal Conduct Data and/or information about any damage caused to the vehicle.

6.2.6.      Delivery and collection of Vehicles

Lawful bases: Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with your employer (our customer), delivery and collection agents, dealers and replacement Vehicle providers.

6.2.7.      Recovery of the Vehicle in the event that the Vehicle is not returned when appropriate

Lawful bases: Legal Obligation, Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and Legal Claims;

Personal data may be shared for this purpose with recoveries agents, law enforcement agencies, legal advisors, your employer (our customer) and debt/tracing agencies.

6.2.8.      Driver sales communications

Lawful bases: your explicit consent, where you have chosen to provide it.

Nominated drivers who have provided explicit consent (via their employer) may be contacted once, at the end of the lease, to establish whether they would like to purchase the Vehicle. This information may be shared with your employer (our customer) or our disposal agent.

6.2.9.      (Where applicable) providing Vehicle maintenance, repairs or replacement

Lawful bases: Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims.

In cases where your employer (our customer) has requested this optional service, we may share personal data for this purpose with repairs service providers, dealers, manufacturers, replacement Vehicle providers or your employer (our customer). This may include information about any damage caused to the vehicle.

6.2.10.   (Where applicable) In relation to connected Vehicle services

In the event that you ask us to activate any manufacturer provided connected vehicle service, your personal data may be shared with both us and the vehicle manufacturer. You remain responsible for the deletion of any personal data from any of the vehicle systems and for terminating your access to any manufacturer provided connected vehicle service prior to returning the vehicle to us. Please also note that we will not receive diagnostic information from such services in all cases, so it remains the Nominated Driver’s responsibility to tell us if there is anything wrong with one of our vehicles.

6.2.11.   (Where applicable) Facilitation of relevant training

Lawful bases: In relation to any motoring offence that amounts, or may amount, to a criminal offence, we will rely on your explicit consent, as obtained by your employer. Otherwise, we will rely on Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data may be shared for this purpose with specialist training providers, law enforcement agencies (which may include data relating to criminal offences in the event of a potentially criminal traffic infraction) and the customer.

6.2.12.   (Where applicable) Delivering telematics services

Lawful bases: In relation to any motoring offence that amounts, or may amount, to a criminal offence, we will rely on your explicit consent, as obtained by your employer. Otherwise we will rely on Legitimate Interests (to enable us to perform our obligations as the registered keeper of the vehicle and in the course of providing our services) and, in limited instances, Legal Claims;

Personal data (incidental to telematics information) may be shared for this purpose with the customer, third party service providers for the purposes of arranging vehicle maintenance and servicing, third party telematics providers and their appointed sub-contractors, law enforcement agencies (which may include data relating to criminal offences in the event of a potentially criminal traffic infraction).

Processing of Special Categories of Personal Data and Criminal Conduct Data

6.3.      Some types of personal data are considered to be sensitive and are accorded greater protection under data protection legislation. These include:

6.3.1.      “Special Categories of Personal Data” which include personal data that reveals racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health, sex life and sexual orientation. Data concerning health covers Personal Data relating to the physical or mental health of an individual which reveals information about the individual's health status; and

6.3.2.      “Criminal Conduct Data” which is Personal Data relating to criminal convictions or offences or related security measures.

6.4.      As a general rule, we do not process Special Categories of Personal Data or Criminal Conduct Data. However, in order to perform our obligations as the registered keeper of the vehicle and provide our services effectively, we are required to process sensitive information about nominated drivers in the following limited circumstances:

6.4.1.      Health/medical information: As detailed at paragraph 6.2.5 above, we may process health information in the course of providing services in response to an accident or Vehicle damage/loss. This is due to the fact that we may receive accident reports in our capacity as the registered keeper of the vehicle and these sometimes contain a small amount of health/medical information. We do not collect this information by any other means or for any other purpose.

6.4.2.      This health information may be shared with law enforcement agencies, insurers or impacted parties, in the event of an accident or a potential legal claim.

6.4.3.      Criminal Conduct Data: As detailed at paragraphs 6.2.4, 6.2.5, 6.2.10 and, where applicable, 6.2.12 above, we may process information relating to criminal offences or potential criminal offences. We may also receive information relating to criminal convictions from law enforcement agencies or the DVLA, which may arise in correspondence that is incidental to our role as the registered keeper of the vehicle.

6.4.4.      Personal data may be shared for this purpose with law enforcement agencies, your employer (our customer) to advise that a Vehicle leased to it may be involved, and the DVLA.

6.5.      In addition to the usual appropriate technical and organisational measures we implement to ensure the security and integrity of the personal data processed by us, we may implement additional measures in relation to Special Categories of personal data and Criminal Conduct Data, as appropriate. These may include segregation, pseudonymisation or restriction of access to the data.

6.6.      We rely on your explicit consent as the lawful basis for processing the personal data outlined at paragraph 8.2 above. This consent will have been obtained you by your employer prior to commencement of the vehicle lease. You are free to withdraw your consent at any time, by contacting us using the details provided at paragraph 15. However, in the event that you withdraw your consent, you will not be able to continue driving our Vehicle, for the following reasons:

6.6.1.      In our capacity as the registered keeper of the vehicle, we need to be able to receive reports relating to any accident or damage caused to the vehicle. We are not in control of the content of these reports, which will in some cases also be used for insurance purposes. Given the relevance of health information to establishing and quantifying insurance claims, it is highly likely that these reports will contain health information. We would require your consent to process this information. In the event that you withdrew such consent, we would suffer the disproportionate impact of not being able to process accident reports relating to our own vehicle.

6.6.2.      There is a presumption of liability on the part of the registered keeper of a vehicle in relation to most motoring offences. Where such offences amount to a criminal offence, we would require your consent to process your personal data in relation to the offence to transfer liability accordingly. In the event that you withdrew such consent, we would suffer the disproportionate impact of being held liable for any motoring offences committed by you in the course of the vehicle lease.

6.7.          Please note that in any instance where you withdraw your consent we reserve our right to rely on an alternative lawful bases (Legal Claims or Substantial Public Interest) to undertake minimal processing, where such bases are available and it is absolutely necessary and proportionate for us to do so.

7. Who we may share your personal data with

7.1.          Personal data of customer owners may be shared with credit referencing agencies and anti-sanctions service providers, and in the event of a default, debt collection/tracing companies.

7.2.          Personal data of Customers and Nominated Drivers may be shared with the following third parties where necessary to achieve the purposes identified at 5.2 (in relation to customers) and 6.2 (in relation to Nominated Drivers):

7.2.1.             Our Group companies, which includes our subsidiaries, our ultimate holding company and its subsidiaries (as defined in section 1159 of the UK Companies Act 2006), in order to refine, perform and audit the services and as part of our general data stability analysis;

7.2.2.             Our Service providers who process and store personal data on our behalf:

7.2.3.             Maintenance and breakdown service providers

7.2.4.             Insurance companies

7.2.5.             Telematics providers

7.2.6.             Telematics installation and management companies

7.2.7.             Vehicle recovery tracing agents;

7.2.8.             Delivery and collection agents

7.2.9.             Investigators and

7.2.10.          Mailing agencies;

7.2.11.          Our third party partners who process and store data on our behalf, where                           our agreement with you was completed through a dealer, broker  or a                                 banking channel;

7.2.12.          Third parties who provide maintenance and servicing of any vehicles you                           hire as part of the service;

7.2.13.          Our professional advisers;

7.2.14.          Our insurers;

7.2.15.          Individuals who you nominate as referees to verify certain information;

7.2.16.          Police and law enforcement agencies;

Other third parties:

7.2.17.          in the event that our business, either whole or in part, is acquired by a third                       party (in which case personal data about customers will be one of the                                 transferred assets);

7.2.18.          we are under a duty to disclose or share your personal data in order to                               comply with any legal obligation, or in order to enforce any contract with                             you; and

7.2.19.          in order to protect our rights, property, or the safety of our employees,                               customers or others. This includes exchanging information with other                                 companies and organisations for the purpose of fraud prevention and credit                       risk reduction.  We may search records which may be linked to your                                   spouse/partner, or other persons whom you are financially linked, such as a                       fellow director if you are a company, a member of a partnership, or director                       of a company.

8. Export of personal data outside of the EEA

8.1.          We may transfer your personal data from the UK to countries within or outside the European Economic Area ("EEA"). The countries outside of the EEA may not provide the same level of protection as is available in the EEA. If we transfer your personal data outside the EEA, we will ensure that adequate levels of protection are in place in relation to the processing of your personal data.

8.2.          Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions. These countries are listed online at:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

8.3.          Before transferring personal data to any non-EEA jurisdiction that is not subject to an adequacy decision, we will transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient, unless we are permitted under applicable data protection law to make such transfers without such formalities.

8.4.          Please contact us using the details shown at paragraph 15 below if you would like to know whether any export of your personal data has been made or to see a copy of the specific safeguards applied to any export of your personal data.

9. How we may contact you

9.1.          If you are a fleet contact or nominated driver, we may send you alerts, important messages and other communications about our services by email, SMS or post.

9.2.          We may offer you web based live chat services so that you can communicate with us about the products and services we provide. Please note that we will record and store the information and content from these communications, for the purposes as set out in this Notice.

10. Your rights

10.1.       Data Subjects have a number of rights relating to how their personal data is used. Please be aware that certain exceptions apply to the exercise of these rights and so you will not be able to exercise them in all situations. If you wish to exercise any of these rights we will check your entitlement and respond within a reasonable timescale. Where applicable, you will have the following rights relating to your personal data:

10.1.1.   Access to your personal data: you may request access to a copy of your personal data. This information will generally be provided within one month of us confirming your identity and understanding the scope of your request.

10.1.2.   Right to withdraw: where we rely on your explicit consent for processing, you may withdraw your consent at any time. This is detailed at paragraph 8 above, in relation to Special Categories of personal data and Criminal Conduct Data. You may also withdraw any consent provided in relation to driver sales communications, as detailed at paragraph 6.2.8 above.

10.1.3.   Rectification: you may ask us to rectify inaccurate or out of date information held about you.

10.1.4.   Erasure: you may ask us to delete your personal data and we will do so, subject to our legal and regulatory obligations to retain information. If the personal data has been made public, reasonable steps will be taken to inform other controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.

10.1.5.   Portability: you may ask us to provide you with the personal data that we hold about you in a structured, commonly used, machine readable form, or ask for us to send such personal data to another data controller.

10.1.6.   Restriction: you may require certain personal data to be marked as restricted in some circumstances, for example, whilst we resolve any complaint we may have received. Restriction means that whilst we still store the data, we will not process it until such time as the restriction may be lifted.

10.1.7.   Right to object: you may ask us to stop any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.

10.1.8.   Right to object to direct marketing: you may ask us to stop any processing for the purposes of direct marketing (however, we will only ever do this for the purposes identified at 6.2.8 and on the basis of your explicit consent, in any event).

10.1.9.   Make a complaint: you may make a complaint about our data processing to us directly, by contacting us using the details supplied at paragraph 15 below. You are also entitled to make a compliant to a supervisory authority. In the UK this is the Information Commissioner's Office, at https://ico.org.uk/.

10.2.       In the event that you would like to exercise your rights, ask us a question about our processing of your personal data or make a complaint, please contact us using the details supplied at paragraph 15 below.

11. Security and data storage

11.1.       No data transmission over the Internet or through a website can be guaranteed to be secure from intrusion. However, In order to ensure fair and transparent processing, we will, taking into account our processing activities, adopt appropriate procedures for the processing of personal data, which shall include implementing technical and organisational measures which take into account the harm that may be suffered, and correct inaccuracies identified in personal data processed, so that risk of errors are minimised and your Personal data is processed in a fair and secure manner.

11.2.       All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

11.3.       We will treat all of your information in strict confidence and will endeavour to take all reasonable steps to keep your personal data secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal data, and data stored on our website and associated databases.

11.4.       All information you provide to us is stored on our, or our suppliers,’ secure servers and accessed and used subject to our security policies and standards. We ask that you:

11.4.1.   Refrain from sharing any password providing access to any part of our website with any other person; and

11.4.2.   Comply with any other security procedures that we may notify you of from time to time.

12. Cookies policy

12.1.       Our Cookies Policies are unique to each of websites and can be found by following the relevant link on each site.

13. Links to Other Websites

13.1.       Our site may, from time to time, contain links to and from the websites of our partner networks and affiliates.  If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

14. Storage limitation

14.1.       We will retain personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example, certain transaction details and correspondence may be retained until the time limit for legal claims in respect of the transaction has expired, or in order to comply with regulatory requirements regarding the retention of such data). So if personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period one that period expires. We restrict access to personal data to those persons who need to use it for the relevant purpose(s).

14.2.       Our retention periods are based on business needs and relevant laws. Records that are no longer needed are either destroyed or irreversibly anonymised (and the anonymised information may be retained).

15. Changes to this Notice

15.1.       We may modify this Notice from time to time, so please review it regularly. If we change this Notice, we shall notify you by means of providing a notice on our website homepage. This Notice was last amended on 26 April 2018.

16. How to contact us

If you have any queries relating to this Notice or use of your personal data, please contact our Data Protection Officer at dpo@aldautomotive.com

APPENDIX 1: LAWFUL BASES FOR PROCESSING

Use of personal data under EU data protection laws must be justified under one of a number of lawful bases. We have explained which lawful bases we rely upon at paragraphs 4-6 above, as applicable. A further description of those lawful bases is set out below.

Lawful bases relied upon for the processing of personal data generally:

Consent: You have given your consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent by contacting us using the details provided at paragraph 15. Where you do so, we may be unable to provide a service that requires the use of such data.

Contract performance: where your information is necessary to enter into or perform our contract with you.

Legal obligation: where we need to use your information to comply with our legal obligations.

Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.

Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.


Lawful bases relied upon for the processing of Special Categories of your personal data or Criminal Conduct Data, in the limited circumstances where it is necessary to do so (see paragraph 8 for more information):

Explicit consent: You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent at any time by contacting us using the details provided at paragraph 15. Where you do so, we may be unable to provide a service that requires the use of such data.

For legal claims: Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

In the substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of EU or local law.

Contact Us

If you would like to get in touch with a member of the Lombard Vehicle Solutions team, please select from one of the following numbers:

* Landline and mobile phone calls to numbers beginning 03, cost the same as a call to a standard “01” or “02” landline number.

These calls will be included in any inclusive or free minutes you may have.

Make an enquiry