PRIVACY STATEMENT

Effective from 25 May 2018

  1. INTRODUCTION

We at Capitalflow Group DAC respect your right to privacy and comply with our obligations under the General Data Protection Regulation EU 2016/679 (“GDRP”). The purpose of this Privacy Statement is to outline what personal data we process, how and why we process the data and what your rights are in respect of your personal data.

  1. WHO WE ARE

When we refer to “Capitalflow”, “we” or “us” in this document, it means:

  • Capitalflow Group DAC which is incorporated in Ireland with limited liability having its registered office at Second Floor, Block A, The Crescent Building,
    Northwood Business Park, Santry, Dublin 9, D09 X8w3, with registered company number 574943;

And

  • The subsidiaries of Capitalflow Group DAC.

Capitalflow is a group of financial services companies which provides invoice discounting, asset finance and commercial real estate finance to local businesses.

  1. DATA PROTECTION OFFICER

If you have any questions or queries about how Capitalflow gathers, stores, shares or uses your personal data or if you wish to exercise any of your personal data rights, please contact Capitalflow’s Data Protection Officer:

Email:                         dataprotection@capitalflow.ie

Telephone:               +353 (0)1 5632401

Postal Address:        Data Protection Officer, Second Floor, Block A, The Crescent Building, Northwood Business Park, Santry, Dublin 9, D09 X8w3

  1. THE PERSONAL DATA WE PROCESS

In conducting our business, we process information relating to you and information from which you can be identified, including:

  1. basic personal and identification information, including name, address, date of birth, contact details;
  2. your Tax Reference Number (TRN);
  3. financial information, including bank account details, products provided, transactional information and history, assets and liabilities, personal wealth, income and expenditure, credit and borrowing history;
  4. information about your family (such as dependents, marital status, next of kin and contact details) and business associates;
  5. education and employment information; and
  6. visual images and personal appearance (such as copies of passports).

SPECIAL CATEGORIES OF DATA

We occasionally process information regarding medical or health conditions but only in circumstances where such information is voluntarily provided to us along with your explicit consent to process the information, for example, as part of forbearance discussions.

CRIMINAL CONVICTION DATA

If you have criminal convictions, we may process this information in the context of compliance with our anti-money laundering obligations.

  1. HOW WE COLLECT YOUR PERSONAL DATA

Information about you, including your personal data, is gathered both directly and indirectly from third parties as you apply for our products, use our products and services and engage with us.

We collect your personal data:

  • Directly from you. Examples include when:
    1. You submit inquiries and information via our website;
    2. You provide information as part of an application for a product;
    3. You use our products and conduct transactions;
    4. You access our website and we use technology to help us make the site work. See our Cookie Policy for more details.
  • From third parties. Examples include from:
    1. Publicly available information. For example, from company registers (including the Companies Registration Office), press publications, trade directories and online search engines and related results.
    2. Capitalflow group companies;
    3. Third parties who provide services to you. For example, from your legal advisors and authorised representatives.
    4. Third parties who provide services to us. For example, asset valuation advisors.
    5. Brokers or intermediaries;
    6. Credit reference agencies (including the Irish Credit Bureau), credit registers (including the Central Credit Register) and fraud prevention agencies; and
    7. Vision-Net.ie, which provides credit information on businesses and individuals, including information on directors, shareholdings, judgments, bankruptcies and more.
  1. PURPOSES AND LEGAL BASIS FOR PROCESSING

We use your personal information:

  • To enter into and for the performance of a contract with you in relation to the provision of a product or service, for example:
  1. Establishing your eligibility;
  2. Processing application forms;
  3. Conducting financial, security and credit due diligence and reviews;
  4. Management and administration of the product account and contract, including the processing of payments;
  5. Contacting you on matters relating to the contract or product;
  6. Recover debts you may owe us.
  •  To comply with our legal, statutory and regulatory obligations, for example:
  1. Establishing your identity in order to comply with legislation regarding the prevention of money laundering, fraud and terrorist financing;
  2. Submitting returns to the Revenue Commissioners in order to comply with taxation legislation;
  3. Audits of our financial statements and reporting to the Companies Registration Office in compliance with company law;
  4. Reporting to the Central Credit Register in compliance with our obligations under the Credit Reporting Act 2013; and
  5. Complying with legally binding requests or orders from regulatory bodies, law enforcement agencies, the courts or otherwise.

 

  •  To enable us to manage our business in line with our legitimate interests.

In the day-to-day running of our business, we may process your personal data to:

  1. Providing servicing information to you relevant to the products and services we provide to you and to your relationship with us;
  2. Conducting marketing activities, including direct marketing (unless you have objected to us using your personal data for this reason);
  3. Monitor, maintain and continuously improve our business processes, technology, communications, customer service, information and data management;
  4. Keep our networks and information secure;
  5. Manage, monitor and protect our physical properties and assets;
  6. Protect our business, reputation and resources;
  7. Protect of our legal rights and interests;
  8. Establish, exercise or defend legal claims;
  9. Pursue our corporate and social responsibilities;
  10. Facilitate a sale or purchase of our business or assets (including any loan or product provided to you) or any merger with any other business or any secured funding, securitisation or other funding arrangement;
  11. To carry out financial analysis, accounting and reporting;
  12. Facilitate our business continuity and disaster recovery plans and procedures;
  13. Allow us to conduct work on our strategy and planning;

In order to continuously develop and improve our business, our products and services, our reputation and our internal processes, we may use your personal data to:

  1. Identify new business opportunities, develop enquiries, generate new business leads and develop a business relationship with you;
  2. Send you relevant marketing material, including by way of direct marketing unless you have objected to your personal data being used by us in this manner;
  3. Understand and analyse our customers’ and potential customers’ preferences, expectations, feedback and financial circumstances in order to develop and offer more relevant and suitable products and services;
  4. Monitor our customer service processes so we can improve, including the use in staff training;
  5. Perform statistical analysis and market research;
  6. Perform analysis of complaints in order to mitigate risk or reoccurrence and to identify and implement prevention solutions;

 We have a legitimate interest to manage our business risk and in doing so, it enables us to design suitable products and services for our customers as well as protecting our business interests. We may use your personal data in this regard to:

  1. Conduct checks on customers, potential customers and related associates against publicly available company registers (including the Companies Registration Office), press publications, trade directories, Vision-Net.ie and online search engines and related results;
  2. Conduct checks on customers or potential customers against credit reference agencies (including the Irish Credit Bureau), credit registers (including the Central Credit Register) and fraud prevention agencies;
  3. Share information with credit reference agencies, credit registers (beyond what we are legally obliged to provide) and fraud prevention agencies;
  4. Conduct checks on customers or potential customers against external databases, sanctions lists and politically exposed persons lists;
  5. Conduct financial and credit risk assessments;
  6. Make decisions about customer accounts;
  7. Recover outstanding debts; and
  8. Report on risks.

  

  • Where you have provided us with consent (which you may withdraw at any time)
  • Where you have provided us with consent, we may process your personal data to:
  1. Directly market to you about offers from the group and/or selected partners;
  2. Share your personal data with third parties so that they may conduct direct marketing to you about their products, services and offers;
  3. Use cookies in accordance with our Cookie Policy;
  4. Use special categories of data – see Section 4 above.

 Any requests for your consent will include more information on how we will use your data specific to that consent.

  1. HOW LONG WE KEEP YOUR PERSONAL DATA FOR

As a principle, we do not hold your personal data for longer than is necessary. The length of time we hold the data depends on the type of data and also on a number of other factors, including to meet our legal, regulatory and statutory obligations. In most cases, we retain customer data for 7 years after the date upon which a transaction completed or when the customer relationship ceased.

  1. HOW WE KEEP YOUR PERSONAL DATA SAFE

Capitalflow has a range of technical and organisational measures in place to protect information and keep your personal data secure across our IT systems and networks and physical storage locations.

In the event of certain types of personal data breaches, we are legally obliged to notify the Data Protection Commission and affected individuals to whom the personal data belong. We have implemented internal procedures to manage personal data security breaches in accordance with our legal obligations.

  1. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES

We do not share your personal data with third parties unless it is necessary. Sharing occurs with a limited set of individuals and organisations and in limited circumstances. Examples of when sharing may occur and the third parties to whom we share your personal data are as follows:

 

  • To Capitalflow group companies to enable us to provide products and services to you;

 

  • To your authorised representative, your broker or intermediary, to a third party who is providing services with you and any other third party you have provided us with authorisation to share with;
  • To an individual or entity who guarantees or indemnifies your obligations;

 

  • To third parties who are providing services to us in relation to the provision of a product or service to you (for example, our appointed legal advisors and valuers), to assist with our own compliance with legal obligations (for example, our financial statement auditor) and/or for our own legitimate business interests (for example, IT security, business continuity and data processing service providers). Where we enter into agreements with third parties to process your personal data on our behalf, we will ensure that appropriate contractual protections are in place to protect the security of the data.

 

  • Credit reference and rating agencies and registers, whose services we rely upon to protect our interests. For example, we share personal data with the Irish Credit Bureau who use it for their legitimate interests as detailed in their Fair Processing Notice at http://www.icb.ie/pdf/Fair Processing Notice.pdf.

 

  • To statutory, regulatory, government or law enforcement bodies as required by law. For example, we transmit personal data to the Central Credit Register to comply with our legal obligations under the Credit Reporting Act 2013;

 

  • insurance providers, including insurance underwriters, coverholders, brokers, introducers, claims handlers and other such associated third parties;

 

  • To third parties in connection with a sale or purchase of assets by us;

 

  • To anyone to whom we transfer or may transfer our rights and duties in respect of loans, products or services provided by us; and
  • To anyone to whom we may potentially or actually transfer any loan, product or service provided by us or to anyone in connection with a potential or actual secured financing, securitisation or other funding arrangement
  • To other banks and third parties where there is suspicion of financial crime or where required by law to resolve misdirected third party payments;

 

  1. TRANSFERS OUTSIDE OF THE EEA

In connection with the above purposes we occasionally transfer your personal data outside the European Economic Area, including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union.  If and to the extent that we do so, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include: (a) entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the European Commission; (b) in respect of transfers to the United States of America, ensuring that the transfer is covered by the EU-US Privacy Shield framework; or (c) transferring your personal data pursuant to binding corporate rules.

Further details of the measures that we have taken in this regard and the territories to which your personal data may be transferred are available by contacting us at our address set out at the beginning of this Data Privacy Statement.

 

  1. YOUR RIGHTS

You have a number of rights in respect to the personal data we process about you. These are:

  • The right to access your personal data, which includes receiving confirmation on whether the personal data are being processed and if so, receiving the personal data and related information about why they are being processed, the categories of personal data involved, to whom the personal data have been or will be shared and how long the data will be kept for.

 

  • The right to request that we rectify inaccurate data or update incomplete data. You may also request that we restrict the processing of the personal data until the rectification or updating has been completed, although please be aware that we may have to suspend the operation of your account or the products or services that we provide.

 

  • The right to request that we erase your data under certain circumstances, including where you want to withdraw the consent you previously gave to us, where you object to Capitalflow processing the data for its own legitimate interests (e.g. direct marketing) or where Capitalflow’s processing of the data is unlawful. In the case of unlawful processing, you can also request that this processing is restricted rather than the personal data being erased. Please be aware that we may have to suspend the operation of your account or the products or services that we provide where data processing is restricted.

 

  • The right to object to the processing of your personal data, where such processing is being conducted for the purpose of:
    1. Direct marketing;
    2. Establishing, exercising or defending ourselves or others from legal claims; or
    3. Our legitimate interests, unless we can demonstrate that our interests override your interests and rights. You may request that we restrict the processing of the personal data until this analysis of legitimate interests has been concluded, although please be aware that we may have to suspend the operation of your account or the products or services that we provide where data processing is restricted.

 

  • The right to receive your data in a portable format or, subject to it being technically feasible, have us transfer it directly to a third party. This applies where you have provided us with consent for the processing or where the processing is necessary for entering a contract with us.

 

  • The right, at any time, to withdraw consent you have provided to us to process your personal data.

 

  • The right to lodge a complaint to the Data Protection Commission or another supervisory authority.

 

If you wish to raise a complaint in relation to how we processed your personal data, please contact our Data Protection Officer. We take your privacy and data protection very seriously in Capitalflow and we endeavour to address your complaint as expediently and as thoroughly as we can in order to find a satisfactory resolution for you.

 

You also have the right to escalate the matter to the Data Protection Commission or other supervisory authority.

 

The Office of the Data Protection Commission can be contacted at:

 

Email:                   info@dataprotection.ie

Telephone:          +353 (0)761 104 800 or Lo Call Number

1890 252 231

Fax:                       +353 57 868 4757

Postal Address: Data Protection Commission, Canal House, Station Road,  Portarlington, R32 AP23, Co. Laois

 

  1. CHANGES TO THIS PRIVACY STATEMENT

We will update this Privacy Statement from time to time. Any changes will be made available on https://www.capitalflow.ie/privacy-policy/ and, where appropriate, notified to you by written notice or e-mail.