Data Protection

Introduction

The General Data Protection Regulation (GDPR) is European legislation effective from 25 May 2018. In accordance with the requirements outlined in the GDPR, Capital Resolve Ltd will ensure that personal data is processed lawfully, fairly and in a transparent manner. The GDPR allows individuals a range of specific data subject rights that they can exercise under certain conditions.

Consent from a customer to process their personal data will fall under two categories:

1. The processing of personal data is necessary for us to fulfil our obligations under our contract with our client who has passed customer data to us for the purposes of pursuing their legitimate interests.
   
   Under these circumstances, if a data subject raises a query in respect of their consent being given, they should be directed towards our client.
2. For certain types of data that a data subject provides us, we will need to obtain specific consent to record such data directly at the time it is provided. This type of data is known as Special Categories of Personal Data.
   
   Under these circumstances a data subject can withdraw their consent for the company to hold this type of data at any time.

Subject Access Requests

Subject Access Requests (SARs) are requests from an individual or their representative for access to the personal information that a company holds about them. We can accept SARs in writing, either by post or email, to: dpo@capitalresolve.com, or verbally over the telephone.

Requests can be made on behalf of others with consent, power of attorney or where the data subject is a minor and the requester has parental responsibility. If a legal representative makes a request we will require a letter of authority and we will still need to confirm their identity.

We can refuse to comply with a request if we have previously complied with an 'identical or similar request' and, in certain circumstances, we may be able to impose a reasonable fee or refuse to act upon the request if we are able to demonstrate that the request warrants such a response.

To help establish the identity of the data subject we require a copy of one document from each of the following categories with a SAR application:

1. Confirmation of name:
   Full driving licence*, passport, birth certificate.
2. Confirmation of name and address:
   Full driving licence*, utility bill, bank or credit card statement, child benefit book, pension book (or other equivalent/similar official document – but it MUST show the data subjects name and address).
   
   *A completed copy of both parts of a full (not provisional) driving license will be sufficient for both categories.

Once we have received a request and validated it, we have 30 days to respond.

The Right to Rectification (Correction)

Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified.

If we are holding incorrect personal data regarding a data subject we will correct these upon verbal or written notification. In most circumstances it may be appropriate for a data subject to make a rectification request directly to our client.

The Right to Erasure (Right to be Forgotten)

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten'. The right is not absolute and only applies in certain circumstances. In most circumstances it may be appropriate for a data subject to make an erasure request directly to our client.

The Right to Restrict Processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. In most circumstances it may be appropriate for a data subject to make a restrict processing request directly to our client.

The Right to Object

The legislation gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the right to object to the following: 1) Processing based on legitimate interests or the performance of a task in the public interest, 2) Direct marketing, 3) Processing for purposes of scientific or historical research and statistics.

In most circumstances it may be appropriate for a data subject to make an objection request directly to our client.

Special Categories of Personal Data

Under the General Data Protection Regulation (GDPR), sensitive data is referred to as being special category data. This is defined in Article 9 of the regulation.

From time to time we may need to process information about the mental or physical health of a customers, this is to ensure we meet our obligations in respect of the sensitive treatment of potentially vulnerable consumers. Data subjects have no statutory or contractual obligation to provide us with any special categories of personal data, such as details of bad health. But, refusing to do so could mean that we would not be able to manage their account according to their needs.

If we are holding any special categories of personal data on a data subject this can be removed at any time on request.

Data Retention

We will:

• Retain electronic customer data for a period of 6 years after an account has closed.
• Scan paper data and immediately place it in data destruction bins for shredding.
• Delete call recording after 6 months from the date of the recording.
• Delete building entrance CCTV recordings after 30 days and server room recordings after 90 days.

The right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with our supervisory body. If you wish to do so, please contact the Information Commissioner's Office (ICO), Tel: 0303 123 1113, website: https://ico.org.uk/