Purpose
This Privacy and Data Protection Policy set out how AFL (Fleet Management) Ltd (“the Company”) collects, uses, stores and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The purpose of this policy is to ensure that personal data is processed lawfully, fairly and transparently and that appropriate safeguards are in place to protect the rights of individuals.
Scope
This policy applies to all employees, contractors, temporary staff and agents of the Company and covers all personal data processed during business activities. It applies to personal data relating to customers, prospective customers, suppliers, business partners and any other individuals whose data the Company processes.
Organisation Details
AFL (Fleet Management) Ltd trades as Car Leasing Made Simple™ and is registered with the Information Commissioner’s Office (ICO) under registration number Z2906741. The Company’s registered address is 4th Floor, The Porter Building, Slough, SL1 1FQ. Responsibility for data protection matters sits with the Complaints Officer, Victoria Linnett, who may be contacted on 01753 878 437 or by email at complaints@afl.co.uk.
Personal Data Processed
The Company processes personal data necessary to deliver vehicle leasing and related services. This includes identity and contact information, employment and income details required for credit assessment, financial information where payments are involved, vehicle and contract information, records of communications including email correspondence and call recordings, and technical data collected through the Company’s website such as IP addresses and cookie data. The Company does not intentionally collect special category personal data.
Lawful Basis for Processing
All personal data processed by the Company is processed under at least one lawful basis as defined by UK GDPR. In most cases, processing is necessary for the performance of a contract with the individual or to take steps at the individual’s request prior to entering into a contract. Processing may also be required to comply with legal and regulatory obligations, including those imposed by finance providers, regulators and fraud prevention bodies. Where appropriate, the Company relies on its legitimate interests to operate and improve its business, provided those interests do not override the rights of individuals. Consent is relied upon where required, particularly in relation to marketing communications, and individuals have the right to withdraw consent at any time.
Use of Personal Data
Personal data is used to manage enquiries, quotations and lease agreements, administer customer accounts, carry out credit, identity and fraud checks, communicate with customers throughout the lifecycle of a lease, and provide customer support. Data is also used to improve services, maintain business records, meet regulatory requirements and, where permitted, to send marketing communications relating to products and services offered by the Company.
Data Sharing and Third Parties
The Company does not sell personal data. Personal data is shared only where necessary and proportionate to do so, including with vehicle funders and finance providers, credit reference agencies, fraud prevention bodies, vehicle suppliers and delivery partners, IT and CRM providers, marketing service providers, debt collection agencies where required, professional advisers and regulators. As part of industry governance, BVRLA auditors may view personal data on a read-only basis when carrying out compliance audits. All third parties are required to process personal data securely and in accordance with contractual obligations.
International Data Transfers
In certain circumstances, personal data may be processed outside the United Kingdom by third-party service providers. Where this occurs, the Company ensures that appropriate safeguards are in place, including UK adequacy regulations or approved contractual protections such as Standard Contractual Clauses.
Data Security
The Company takes the security of personal data seriously and implements appropriate technical and organisational measures to protect it against unauthorised access, loss or misuse. These measures include secure IT systems, restricted access controls, SSL encryption for sensitive data, staff confidentiality obligations and procedures for verifying identity before disclosing personal information.
Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected. In most cases, customer data is retained for the duration of the contractual relationship and for up to seven years thereafter to meet legal, regulatory and accounting requirements. Data may be retained for longer where required for fraud prevention or legal claims. At the end of the retention period, data is securely deleted or anonymised.
Individual Rights
Individuals have rights under UK GDPR in relation to their personal data, including the right to access, rectify or erase personal data, to restrict or object to processing, to request data portability, and to withdraw consent where processing is based on consent. Individuals also have the right to lodge a complaint with the Information Commissioner’s Office. The Company has procedures in place to respond to rights requests within the statutory timeframes. Please read here for further guidance related to Data protection: rights for data subjects.
Data Breach Management
Any actual or suspected personal data breach must be reported internally without delay. The Company maintains a data breach log and will assess whether the breach must be reported to the ICO within 72 hours. Where required, affected individuals will be informed without undue delay.
Staff Responsibilities
All staff are responsible for handling personal data in accordance with this policy and for maintaining the confidentiality and security of the data they access. Staff must complete any required data protection training and report data protection concerns immediately.