Privacy Policy

1. Policy Statement

This Privacy and Data Protection Policy sets out how AFL (Fleet Management) Ltd (“the Company”) collects, uses, stores and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable regulatory obligations.

The purpose of this Policy is to ensure that:

  • Personal data is processed lawfully, fairly and transparently;
  • Appropriate safeguards are in place to protect individuals’ rights and freedoms;
  • The Company can demonstrate compliance with the accountability principle under UK GDPR.
  • Data protection risks are effectively identified, managed and mitigated.

The Company recognises that failure to comply with data protection legislation may result in regulatory enforcement action, financial penalties, reputational damage and operational risk.

2. Scope

This Policy applies to:

  • All employees
  • Directors and officers
  • Contractors and temporary staff
  • Agents and Appointed Representatives
  • Any third-party processing personal data on behalf of the Company

It covers all personal data processed in the course of the Company’s vehicle leasing, credit broking and related business activities.

This includes personal data relating to customers, prospective customers, suppliers, business partners and any other individuals whose data is processed.

3. Governance and Accountability

The Firm acts as a data controller in respect of personal data relating to customers, employees and suppliers. In limited circumstances, the Firm may act as a data processor where it processes data strictly on behalf of another controller (for example, certain lender arrangements).

The Board of Directors retains ultimate accountability for compliance with data protection legislation.

A designated Data Protection Lead is responsible for:

  • Overseeing data protection compliance
  • Monitoring adherence to this Policy
  • Acting as point of contact for the Information Commissioner’s Office (ICO)
  • Advising on Data Protection Impact Assessments (DPIAs)
  • Maintaining the Record of Processing Activities (ROPA)

The Firm maintains documented evidence of compliance in accordance with the accountability principle under UK GDPR.

Organisation Details and Accountability:
AFL (Fleet Management) Ltd trades as Car Leasing Made Simple™ and is registered with the
Information Commissioner’s Office (ICO) under registration number Z2906741.

Registered address:
4th Floor, The Porter Building
Slough
SL1 1FQ

The Company acts primarily as a data controller. In certain circumstances, it may act as a data processor where it processes personal data strictly on behalf of another controller.

Responsibility for oversight of data protection compliance sits with the Complaints Officer, Victoria Linnett, who acts as the Company’s designated Data Protection Lead.

 

Contact details:

Telephone: 01753 878 437
Email: complaints@afl.co.uk

The Board retains ultimate accountability for data protection compliance.

4. Data Protection Principles

 

The Firm ensures that personal data is:

  1. Processed lawfully, fairly and transparently.
  2. Collected for specified, explicit and legitimate purposes.
  3. Adequate, relevant and limited to what is necessary.
  4. Accurate and kept up to date.
  5. Retained only for as long as necessary.
  6. Processed securely using appropriate technical and organisational measures.
  7. Managed in accordance with the principle of accountability.

 

Compliance with these principles is embedded within operational procedures and systems.

5. Lawful Basis for Processing

The Firm processes personal data only where a lawful basis exists under UK GDPR.

Processing will generally rely on:

  • Performance of a contract (e.g., arranging vehicle leasing or credit agreements)
  • Compliance with legal and regulatory obligations (including FCA rules and anti-money laundering legislation)
  • Legitimate interests, provided such interests are not overridden by the rights of individuals
  • Consent, where required (e.g., certain marketing communications)

 

Where legitimate interests are relied upon, a documented Legitimate Interests Assessment (LIA) will be completed where appropriate.

The Firm does not carry out solely automated decision-making that produces legal or similarly significant effects on individuals.

6. Categories of Personal Data

The Firm processes personal data including, but not limited to:

  • Identity and contact information
  • Financial and contractual data required to arrange finance agreements
  • Technical and usage data relating to website interactions
  • Marketing and communication preferences

The Firm does not knowingly collect personal data relating to children.

7. Data Security and Information Protection

The Firm implements appropriate technical and organisational security measures proportionate to the nature, scope and sensitivity of the personal data processed.

Security controls include:

  • Multi-factor authentication for key systems
  • Encryption of personal data in transit and at rest
  • Role-based access controls and least privilege principles
  • Secure backup and recovery processes
  • Monitoring, logging and incident response procedures
  • Supplier due diligence and contractual safeguards
  • Regular review of security posture

The Firm ensures the confidentiality, integrity and availability of personal data and aligns its controls with FCA expectations regarding operational resilience.

8. International Transfers

The Firm will only transfer personal data outside the UK where such transfer complies with UK GDPR.

Transfers may take place where:

  • The destination country benefits from UK adequacy regulations; or
  • Appropriate safeguards are implemented, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; and
  • A Transfer Risk Assessment has been conducted where required.

The Firm documents all restricted transfers and associated safeguards.

9. Data Retention

The Firm retains personal data only for as long as necessary to fulfil its contractual, legal and regulatory obligations.

Retention periods are defined within the Firm’s Data Retention Schedule, which takes into account:

  • FCA record-keeping requirements
  • Statutory limitation periods
  • Legal and regulatory obligations
  • Business and operational needs

Data is securely deleted or anonymised once retention periods expire.

10. Individual Rights

Individuals have the following rights under UK GDPR:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure (subject to legal limitations)
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights relating to automated decision-making

Subject Access Requests will normally be responded to within one month and free of charge. A reasonable fee may be charged where a request is manifestly unfounded or excessive, in line with ICO guidance.

11. Personal Data Breaches

All suspected personal data breaches must be reported immediately to the Data Protection Lead.

The Firm will:

  • Assess the nature and impact of the incident
  • Determine whether notification to the ICO is required within 72 hours
  • Inform affected individuals where there is a high risk to their rights and freedoms
  • Record all breaches in the Firm’s Breach Register
  • Implement remedial and preventative measures

Decisions regarding regulatory notification are made by a Director in consultation with Compliance.

12. Training and Awareness

All staff receive data protection training at induction and periodic refresher training thereafter.

Training records are maintained and reviewed as part of the Firm’s compliance monitoring programme.

13. Monitoring and Review

Compliance with this Policy is subject to periodic review by senior management.

The Policy will be reviewed annually or sooner where:

  • There are regulatory changes
  • Operational changes impact data processing
  • Material data protection incidents occur

This Policy is owned by the Board of Directors and forms part of the Firm’s Governance and Compliance Framework.
Please contact our data protection officer at contactus@carleasingmadesimple.com for more information about the GDPR and your rights under Data Protection law.

If you have a complaint about data protection at AFL (Fleet Management) Ltd, please contact our data protection officer at contactus@carleasingmadesimple.com. Alternatively, you may get in touch with our supervisory authority for data protection compliance at: www.ico.org.uk:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

About cookies

Cookies are pieces of information that a website transfers to your computer’s hard disk for record-keeping purposes. Cookies can make the internet more useful by storing information about your preferences on a particular site, such as your personal preference pages.

The use of cookies is an industry standard, and most websites use them to provide useful features for their customers. Cookies in and of themselves do not personally identify users, although they do identify a user’s computer. Most browsers are initially set to accept cookies.

If you would prefer, you can set yours to refuse cookies. However, you may not be able to take full advantage of a website if you do so.

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Contact

Questions, comments, and requests regarding this privacy policy are welcomed and should be addressed to contactus@carleasingmadesimple.com