Medenta Finance Limited and Wesleyan Bank Limited
Medenta Finance Limited (Medenta) acts as a credit broker for Wesleyan Bank Limited (Bank), together “we” and “us”, and this privacy notice sets out how each uses personal data about you. Medenta acts as both a controller as well as a processor on behalf of Bank. Bank acts as a controller but may collect personal data via Medenta, acting as its credit broker. We treat the privacy of our customers and website users very seriously and we take appropriate security measures to safeguard your privacy. This Notice explains how we protect and manage any personal data* you share with us and that we hold about you, including how we collect, process, protect and share that data. *Personal data means any information that may be used to identify an individual, including, but not limited to, a first and last name, a home or other physical address and an email address or other contact information, whether at work or at home, professional membership details, date of birth and information about your employment.
HOW WE OBTAIN PERSONAL DATA
Information provided by you
You may provide us with personal data when you contact us, when entering into an agreement with us for you to act as a credit broker to introduce consumer finance products to your patients or when otherwise procuring a product or service from us or one of our group of companies. We may also keep information contained in any correspondence you may have with us by post, by email or other media. We also record telephone conversations. This means that the legal basis for our holding or processing your personal data is because we have obtained your express consent for us to do so, for the performance of a contract with you or because we have our own legitimate interests in holding or processing your personal data (and your interest and fundamental rights do not override those interests). By passing to us any information about another person, you confirm you have their authority to share that information with us. If you fail to provide certain information when requested, we may not be able to enter into a contract with you (e.g. if we are unable to verify your identity or conduct a successful credit check), perform the contract we have entered into (or are proposing to enter into) with you or we may be prevented from complying with our legal obligations (such as detecting or investigating fraud). Information we get from other sources We only obtain information from third parties if this is permitted by law. We may also use legal public sources to obtain information about you, for example, to verify your identity.
This information (including your name, address, email address, date of birth, etc.), as relevant to us, will only be obtained from reputable third-party companies that operate in accordance with the applicable laws relating to data protection (including the Data Protection Act 2018 and General Data Protection Regulation (GDPR) as amended and replaced from time to time). You will already have submitted your personal data to these companies and specifically given permission to allow them to pass this information to other companies that provide similar or complementary products and services to those we offer.
HOW WE USE YOUR PERSONAL DATA
We use your personal data and other information you pass to us to manage and administer our contractual relationship. From time to time we may notify you about, and provide, additional products, services, events and promotions where you have provided your consent to us or we have our own legitimate interests to market to you. We undertake at all times to protect your personal data, including any financial details, in a manner which is consistent with the requirements of the laws concerning data protection. We will also take reasonable security measures to protect your personal data in storage.
Do we use your personal data for marketing purposes?
Any information that you choose to give us will only be used for marketing purposes by us where you have provided your express consent to us or where we have assessed that our own legitimate interests for you to receive marketing communications from us are not overridden by your interests or fundamental rights and freedoms. You have the option to withdraw your consent at any time by contacting the Data Protection Officer – see contact details below.
Information about cookies
We will keep information about you confidential and we will from time to time share your personal data within the Wesleyan Group of Companies, of which we are a subsidiary, for example for the purpose of audit and compliance monitoring or for the opportunity to discuss with you additional products or services these companies could provide. We will only disclose your information with other third parties with your express consent with the exception of the following categories of third parties:
Categories of third parties
- insurance companies, loss assessors, regulatory authorities (including recognised practitioner bodies), legal or crime
prevention agencies, credit referencing agencies and other fraud prevention agencies to help us make decisions
about you, to perform a contract with you and to comply with any legal and regulatory issues and disclosures such
as verifying your identity and preventing fraud and money-laundering;
- any IT Service providers, marketing agencies, market researchers, debt collection agencies, document management
providers, mailing or printing agents, web page hosting providers, contractors, auditors and advisors that provide a
service to us or act as our agents on the understanding that they keep the information confidential;
- anyone to whom we may transfer our rights and duties under any agreement we have with you.
When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity in order to protect our business and to comply with laws that apply to us. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to ten years and may result in others refusing to provide products, services, financing or employment to you. Where we use credit scoring, this means existing and historic data about you may be used to determine your creditworthiness. The identities of the Credit Reference Agencies, and the ways in which they use and share personal information, are explained in more detail at www.experian.co.uk/crain
Transfer of your personal data outside of the European Economic Area (EEA)
We do not currently transfer your personal data outside the EEA. If in the future we transfer your personal data, in accordance with the terms of this Notice outside of the EEA, we will make sure that the receiver agrees to provide the same or similar protection as we do and that they only use your personal data in accordance with our instructions. Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. If you require further information regarding such transfers, please write to the Data Protection Officer at Cambrian Works, Gobowen Road, Oswestry, Shropshire SY11 1HS or email firstname.lastname@example.org
How long do we keep this information about you?
We keep information in line with the retention policy of our ultimate parent company, Wesleyan Assurance Society. These retention periods are in line with the length of time we need to keep your personal information in order to manage and administer our contractual relationship or any other service we provide to you. They also take into account our need to meet any legal, statutory and regulatory obligations. These reasons can vary from one piece of information to the next. In all cases our need to use your personal information will be reassessed on a regular basis and information which is no longer required will be disposed of. We typically keep information relating to an enquiry for 3 years and information relating to existing and former customers for up to 10 years from the end of our relationship with you.
DATA SUBJECT RIGHTS
Subject access requests
You have the right to access particular personal data that we hold about you. This is referred to as a subject access request. We shall respond promptly, and certainly within one month from the point of receiving the request. Our formal response shall include details of the personal data we hold about you, including the following:
- sources from which we acquired the information;
- the purposes for processing the information; and
- persons or entities with whom we are sharing the information.
Right to rectification
You have the right to request, without undue delay, the rectification of inaccurate personal data we hold concerning you. Taking into account the purposes of the processing, you have the right to request incomplete personal data is completed, including by means of providing a supplementary statement.
Right to erasure
You have the right to request from us the erasure of personal data concerning you without undue delay, provided we have no legal basis to continue to process that data.
Right to restriction of processing
Subject to exemptions, you have the right to request that we restrict the processing where one of the following applies:
- the accuracy of the personal data is contested by you and so our use shall be restricted until the accuracy of the
data has been verified;
- the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction
in its use;
- we no longer need the personal data for the purposes of processing, but it is required for the establishment, exercise
or defence of legal claims;
- you have objected to processing of your personal data pending the verification of whether there are legitimate
grounds for us to override these objections.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
We shall communicate any rectification or erasure of personal data or restriction of processing as described above to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall provide you with information about those recipients if you request it.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you; unless this relates to processing that is necessary for the performance of a task carried out in the public interest or an exercise of official authority vested in us. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.
Right to not be subject to decisions based solely on automated processing
We do not carry out any automated processing, which may lead to an automated decision based on your personal data.
Invoking your rights
If you would like to invoke any of the above data subject rights with us, please write to the Data Protection Officer at Cambrian Works, Gobowen Road, Oswestry, Shropshire SY11 1HS or email email@example.com
ACCURACY OF INFORMATION
In order to provide the highest level of customer service possible, we need to keep accurate personal data about you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We ensure that the source of any personal data or sensitive information is clear and we carefully consider any challenges to the accuracy of the information. We also consider when it is necessary to update the information, such as name or address changes and you can help us by informing us of these changes when they occur. Should you fail to inform us of any changes when they occur, we may not be able to deliver our products and services to you.
Questions and queries
If you have any questions or queries which are not answered by this Privacy Notice, or have any potential concerns about how we may use the personal data we hold, please write to the Data Protection Officer at Cambrian Works, Gobowen Road, Oswestry, Shropshire SY11 1HS or email firstname.lastname@example.org
Changes to this Privacy Notice
This Privacy Notice is regularly reviewed. This is to make sure that we continue to meet the highest standards and to protect your privacy. We reserve the right, at all times, to update, modify or amend this Notice. We suggest that you review this Privacy Notice from time to time to ensure you are aware of any changes we may have made, however, we will not significantly change how we use information you have already given to us without notifying you. The latest version of this Notice can be found at www.medenta.com/privacy-notice
If you have a complaint
If you have a complaint regarding the use of your personal data or sensitive information then please contact:
- Medenta by writing to the Data Protection Officer at Cambrian Works, Gobowen Road, Oswestry, Shropshire
SY11 1HS or email email@example.com
- Wesleyan Bank by writing to the Data Protection Officer at Wesleyan Assurance Society, Colmore Circus,
Birmingham B4 6AR or email firstname.lastname@example.org.
We will do our best to help you.
While we hope you can discuss issues with our Data Protection Officer, you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact them on 01625 545745 or 0303 123 1113.