This Privacy Statement outlines the standards for processing personal data relating to natural persons, including but not limited to our customers, vendors, dealers, suppliers and other third parties.
For questions related to this document, please contact us via:firstname.lastname@example.org
Februari xx, 2020
Table of contents
1. What is personal data?
2. Who is responsible for the processing of your personal data?
3. Whose personal data do we process?
4. What personal data do we process?
5. For which purposes and on what legal basis do we process your personal data?
6. How do we collect your personal data?
7. Legal basis for processing your personal data
8. How long will we store your personal data
9. Do we transfer your personal data to third parties and/or to other countries outside the EU?
10. How do we secure your personal data?
11. Which rights can you exercise?
12. How to contact us in case of a request, question or complaint?
13. Can we update this Statement?
‘Personal data’ means any information relating to a natural person or any information that can be used to identify a natural person. Examples of personal data include your name and contact details or an online identifier. Information relating to a sole trader or partnership, involving one or more natural persons, is considered personal data. Information relating to a legal entity is not personal data, but information related to such entity’s representative is regarded as personal data.
Any information about your physical or mental health or condition, ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, as well as data concerning sex life or sexual orientation are special categories of personal data.
Personal data is ‘processed’ when any activity or set of activities is performed on the personal data. This includes the collection, storage, access, use, transfer, disclosure and removal of personal data.
De Lage Landen Finans Danmark filial of De Lage Landen Finans, Sverige (“we'' or “us) process personal data in accordance with applicable data privacy laws and as stipulated in this Privacy Statement (''Statement''). With this Statement we want to inform you in a transparent manner on the most important standard activities and legal bases on which we process your personal data.
De Lage Landen Finans Danmark filial of De Lage Landen Finans, Sverige is a branch under the Swedish private limited liability company established under Swedish law
Address: Vandtårnsvej 83 A
Postal address: 2860 Søborg
Telephone: +45 44 70 07 00
Commercial registration number: 18976439
VAT number: DK18 97 64 39
Supervisory Authority: The Danish Data Protection Agency
We are a branch of De Lage Landen Finans AB in Sweden who is, through De Lage Landen AB, a wholly owned subsidiary of De Lage Landen International B.V. (“DLL”), which is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (‘Rabobank’ and together with its subsidiaries, the “Group”). To the extent permitted by law, your personal data may be shared between entities within the Group in accordance with the Rabobank Privacy Code, which serve as the Binding Corporate Rules of the Group.
Questions about this Statement or the processing of personal data in general can be directed to our local compliance officer at email@example.com.
A Data Protection Officer (‘DPO’) has been appointed for De Lage Landen International B.V. and its subsidiaries. The DPO can be contacted by email at firstname.lastname@example.org.
Our main activities
DLL is a global finance partner for equipment and technology assets. We deliver sustainable and effective solutions to move assets to market, throughout the entire asset life cycle: commercial finance, retail finance and used equipment finance. We work closely with our “Partners”, being equipment manufacturers and their distribution partners (from authorized distributors and independent dealers to resellers), to provide financing solutions to end-users of equipment and technology assets.
- Customers or prospective customers, Partners, suppliers and, where relevant, their representatives;• Customers or prospective customers, Partners, suppliers and, where relevant, their representatives;
- Individuals with whom we have or have had a relationship
The personal data we process can be divided into different categories:
|Categories of personal data||What kind of data might be involved?||Examples of why we use this personal data|
|Contact and identification data||Name, address, telephone number, (business) e-mail address, national identification number.||To identify you, to draft an agreement with you or to contact you.
We only use your national identification number if this is legally permitted, for example to identify the ultimate beneficial owner (UBO) of an organisation in accordance with our legal obligations.
|Contract/Agreement data||Information about your financial situation, information related to our products or services, information related to obtaining financial services, bank account information, your risk profile.||To enter into, amend, renew or terminate a contract with you.
To assess your credit worthiness or to assess whether a product is suitable for you. For instance, we must validate whether you are able to fulfil the payment obligations under the contract/agreement.
|Special categories of personal data / Criminal data||Information about criminal convictions, and biometrical data (such as fingerprints) if applicable.||In the context of preventing terrorism and for tax obligations, we are required to record information about your country of birth. In addition, we may process special categories of personal data/criminal data in the context of anti-money laundering, fraud prevention and regulatory reporting from open sources (e.g. media searches).
If you have registered your fingerprint in any electronic application operated by us (‘App’) to quickly access the App, we process your biometric data.
|Recorded calls, (recordings of video chat and online chat sessions), video surveillance, documentation of e-mails.||Conversations we have with you, and you have with us, by telephone or in online chat sessions. E-mails you send to us and which we receive from you. Camera images that we record in our offices.||We may use recorded calls, e-mails and online chat conversations to combat fraud, to fulfil legal obligations, to monitor quality, to provide proof, to improve our services and to train, coach and assess our employees. Camera surveillance is used for safety purposes (e.g. to secure and manage physical access to our premises).|
|Data related to the use of our website, portals or (mobile) applications||Cookies may collect your IP address, data about the applications and devices you use to visit our website, use of our portals or mobile applications in the context of using our services.||We process this personal data to allow you to use our online services. With the help of cookies, we can improve our website, portal or mobile applications. Where we place persistent cookies or other tracking mechanisms to perform profiling (e.g. to offer targeted ads/banners), we will obtain your consent, where required.|
|Personal data that we receive from other parties||Personal data we receive from our Partners, Chamber of Commerce, Credit Registration Office and personal data that we receive from companies to which you have given consent to share your data with us.||We use this information to check whether we can enter into a financial agreement with you.
We may use personal data from third parties (e.g. data brokers) for commercial purposes, if you have given consent to this third-party to share your personal data with us or companies like us for marketing purposes.
|Personal data that we share with other parties||
||We are obliged to provide certain data to tax and supervisory authorities or (national) data protection authorities.
We may share personal data with third parties (such as our marketing agencies or suppliers) that process personal data on our behalf for commercial / marketing purposes.
Next to that we share personal data with our Partners (for example we might share the start and end date of the contract or relevant developments that happen during the duration of the contract).
|Data we require to ensure your and our security, to prevent and investigate fraud, to prevent money laundering and financing of terrorism.||The personal data that is processed in the external and internal referral registers of Rabobank and in national and international sanctions lists.||We process this personal data to comply with our legal obligations and to prevent that you, we or the financial sector become a victim of fraud. We check if you appear in external or internal referral registers of Rabobank and check whether your name appears on national and/or international sanctions lists.|
The purposes for which we process personal data are described below. In addition, we indicate the legal basis on which this processing is done. By law, every personal data processing activity must have a legal basis.
a. To enter into a contract with you and to fulfil contractual obligations
Prior to entering into a customer relationship with you, we need to process your personal data. For example, we need to do the following examinations in order to assess whether we can accept you as a customer:
- Integrity check: When entering into a customer relationship with you, we have, as a financial institution, a legal obligation to consult available incidents registers and warning systems and national and international sanctions lists.
- Verify identity: When entering into a customer relationship with you, we have, as a financial institution, a legal obligation to confirm your identity. We can do this by making a copy of your identity document, which we will only use for identification and verification purposes.
For checking your integrity and identity, we may also rely on checks performed by other financial institutions.
- Credit check: Before entering into a customer relationship with you, we have a legitimate interest to check whether you qualify as an acceptable customer. We assess your credentials from a risk perspective and predict if you can meet your financial obligations towards us.
- Credit-scoring: We assess the risk connected to a contract with you via a method called credit-scoring Your credit score is calculated based on automated decision-making.
Logic of automated credit-scoring
You have to achieve a pre-defined minimum-score to ensure an acceptable risk for us. If we deem our risk is low you receive a higher score then when we deem our risk is high. In addition you may not be disqualified by showing up on watch-lists published by the financial sector or the Group.
The credit-score is calculated based upon several components:
We list the most important components that influence how you will be scored by us:
- Your financial standing.
Based upon personal data provided by you in the process of credit-scoring, we consult external credit rating agencies to acquire relevant financial information (credit-rating, financial statements, turn-over/solvency, payment history). If you already have or had a relation with us in the past, we combine the aforementioned (external) financial information with internal payment history related to you;
- The applicable conditions and characteristics of the DLL Partner Program under which you apply for a financial solution;
- Activity codes of the branch(es) in which you operate and the type of asset(s) you want to finance with us.
Significance and envisaged consequences of automated credit-scoring
In case you do not achieve the minimum-score, the automated credit-scoring results in a decline. In that case, DLL will refrain from entering into an agreement with you since we deem the risks involved for DLL too high.
Specific rights you have relating to automated decision making
Your credit score is calculated based on automated decision making, however, this will always be balanced against your right to request a manual review of the decision.
You have the right not to be subject to a decision based solely on automated credit-scoring. Based upon the notification that automated creditscoring will be applied to you, you can object to such automated credit scoring. In that case a manual human intervention will be part of the creditscoring applied by us.
When automated creditscoring is finalized and you want to express your point of view and contest the (automated) decision, you also have the right to invoke human intervention. In that case a person will review and reassess the automatically generated decision.
Once we have entered into an agreement with you, we process your personal data to fulfil the contract as set out below:
- Continuous integrity check: When you are our customer, we have, as a financial institution, a legal obligation to continue to consult incidents registers, warning systems, as well as the national and international sanctions lists.
- Information on products: We may inform you about your finance agreement, for example about the remaining term of outstanding obligations.
- Account management and contract management: We process your personal data for the purpose of establishing and maintaining our business relationship with you. We also may contact you to seek solutions if arrears should emerge. We do so to enter into or perform the contract between you and us.
- Services: To provide certain services that are part of the financial agreement involving third parties, for example, where we perform ‘bill and collect’ services for our Partners.
- Use of (mobile) applications: If you use our (mobile) applications and/or portals, we collect your personal data for identity and access management purposes.
- Customer service and recordings: We process your personal data to provide customer service and support. We may make and store recordings of telephone conversations, online chat sessions and video chat sessions. We use these recordings to uphold quality standards by training and coaching of our staff as well as using these as appropriate measures to prevent fraud. We always ask for your consent before recording.
- Complaint handling: We may process your personal data to enable us to handle any complaint or claim that you might have.
b) To comply with legal obligations
Providing data to Government and regulators: We are obliged, based on (international) laws and regulations, to collect, analyze and sometimes transfer your personal data to relevant governments or supervisory authorities.
We must observe regulations to be able to offer financial services to you.
Furthermore, we must observe regulations to prevent fraud and criminality, such as the law for preventing money laundering and financing terrorism, which includes that we must determine the ultimate owner (‘UBO’) of the company with whom we enter into an agreement.
Where tax authorities, courts or other appropriately authorized State authorities request your personal data, we are legally obliged to cooperate with the investigation and for that purpose disclose your personal data.
- Risk models: Based on European regulations we are legally obliged to make risk models, which can include your personal data. This allows us to determine our risks as well as the extent of the financial buffer we must hold, when providing financial services to you. These risk models calculate the chances of you getting in arrears. These enable us, in consultation with you, to prevent possible payment difficulties and/or handle these faster.
c) To ensure the security and integrity of you, us and the financial sector
As a financial institution, we have a legal obligation to process your personal data securely and to prevent fraud, money laundering and the financing of terrorism.
- Incident registers and warning systems:If you wish to become our customer or are already our customer, we will consult incident registers and warning systems.
- Incident registers and warning systems from public authorities: Public authorities provide us with names of individuals, with whom financial institutions must not do business, or to whom the financial sector must pay extra attention. We must enter these names into our warning systems. If we consult incident registers and/or warning systems, we may enter your personal data in these registers/systems. In that case, we will notify you unless we are not allowed to do so, for example because the police ask us not to notify you in the interests of their investigation.
- Publicly accessible sources: We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud, anti-money laundering and prevention of terrorist financing.
- Security of our offices: we will process your personal data to secure and manage physical access to our premises. We will for instance enter your personal information in our visitor registration systems when you visit our premises. In addition, we may also collect personal data through camera surveillance for security reasons.
d) d) To help develop and improve products and services
We have a legitimate interest to develop and improve products and services on an ongoing basis. We, our customers or other parties benefit from such activities.
We may process your personal data when analyzing your visit to our website with the aim of improving our website. We use functional cookies and comparable technology for this. Where needed, we will obtain your consent (e.g. for profiling or targeted advertising). See full Cookie Statement for more information.
We make and may store recordings of telephone conversations, e-mail messages (and online chat conversations). We do this in order to improve the quality of our services, for example by assessing, coaching and training our employees.
Analyzing personal data allows us to see how you use our products and services and to categorize you into customer groups. This enables us to create customer profiles and interest profiles. When producing these analyses, we may use information obtained from other parties and public accessible sources.
We may carry out research to improve our products and services, by asking you for example to voluntarily give your reaction or to review a product or service. Such research is either managed internally or we engage a third-party who will solely process your personal data on our instructions and for this purpose only.
e) For account management, promotional and marketing purposes
We process your personal data for account management, promotional and marketing purposes. In doing so, we may use personal data we have obtained from you and other parties (such as Partners). We have a legitimate interest to optimize our business relation with you by informing you about similar products and services, within the boundaries suitable for you. This enables you to make use of our solutions to their maximum potential. We may also request your consent to process your data for promotional and marketing purposes.
We may use the services of advertisers to advertise to specific target groups, which is done based on profiles we have established. We never share your personal data with such advertisers.
f) To enter into and perform agreements with Partners, suppliers and other parties
If you are a third-party doing business with us, we may process your personal data, for example to check whether you are permitted to represent your company or to facilitate a visit to our offices. Where necessary, we may consult incident registers and warning systems before we enter into an agreement with you. While the agreement is in effect, we continue these consultations in the context of screening.
We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this.
g) To carry out business processes, management reporting and internal management
To carry out business processes, management reporting and internal management we process your personal data:
- Know Your Customer: We believe it is important and necessary that we have good knowledge of our customers.
- Credit risk: Financial products involve credit risk. We have to determine the level of that risk, so that we can calculate the financial buffer we need to maintain. In connection with this, we process personal data related to your loans and credit facilities.
- Transfer of receivables/securitization: In the event that we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable privacy and data protection laws and regulations.
- Internal audits and studies: Where needed, we may use your personal data to perform internal audits and investigations, for example in order to examine how well new rules have been introduced or to identify risks.
- Carry out our business processes: We use your personal data to carry out, analyze and improve our business processes so that we can help you more effectively. Where possible, we will anonymize or pseudonymize your personal data first.
We have a legitimate interest to categorize and establish risks that are inherent to our business, and accordingly take measures to minimize or transfer (part of) these risks and improve our business processes for the benefit of you and us.
h) For archiving purposes, scientific or historic research purposes or statistical purposes
We may process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymize or pseudonymize your personal data first.
The business of DLL is for a major part generated through the cooperation with our Partners. Your personal data is collected by these Partners and made available to us in order to facilitate us in processing your personal data for the purposes set out above. We also receive your personal data if you have provided this directly to us, for example if you have entered this on our website with the request to contact you.
As we are a part of the Group, we may also receive your personal data from entities within the Group. We may also receive your personal data from third parties. Your personal data might be sent to us because we cooperate with these third parties and you have given your consent to these third parties to share your personal data with us or companies like us.
The purposes of processing are set out in paragraph 5 of this Statement. By law, each personal data processing activity must have a legal basis. We have mentioned the applicable legal bases in paragraph 5. For the most important part we process your personal data because we are under a legal obligation to do so or because it is necessary to enter into or execute our agreement with you. This legal basis may be found in Article 6(1)(b) and in Article 6(1)(c) of the GDPR. The legal obligations we are subject to may be found in, amongst others, the Danish Anti Money Laundering Act, the Danish Bookkeeping Act and the Danish Financial Business Act.
If, however, these legal bases do not apply, we have a legitimate interest in processing your personal data. In case we have indicated to have a legitimate interest for processing your personal data, we take into consideration whether our interest is not overridden by your interest or your fundamental rights and freedom. This legal basis may be found in Article 6(1)(f) of the GDPR
In addition, we may ask for your consent to process your personal data, for instance to develop and improve our products and services or for promotional and marketing purposes insofar we do not have a legitimate interest to process your data for this purpose.
We do not store your personal data longer than we need to for the purposes for which we have collected it. This will be in most cases 5 years after the end of our agreement or business relationship with you. Sometimes we use different storage periods. For example, if the supervisory authority requires us to store certain personal data longer or if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period.
If we no longer need your personal data for the purposes described in paragraph 5, we may still store your personal data for archiving, legal proceedings or for historical or scientific research or statistical purposes.
a. Within the Group
Personal data may be shared within the Group to the extent that this is permitted by law. For example because your application for a financial product needs involvement of Coöperatieve Rabobank U.A. when it exceeds certain hurdles. We must, however, comply with the rules that we have agreed within the Group, as stated in the Rabobank Privacy Code, which serve as the Binding Corporate Rules of the Group.
Some entities within the Group are located in countries outside of the European Union that have less strict data protection rules. We share your data with entities within the Group, only if the entities comply with the Rabobank Privacy Code. The Rabobank Privacy Code guarantees adequate protection of personal data and describes the rules that all the entities within the Group have to comply with.
b. Outside the Group
Your personal data may also be transferred to third parties outside the Group if we are legally obliged to do so, because we need to identify you before we enter into an agreement with you or because we use a third party for meeting the obligations we entered into with you.
We pass on your personal data to third parties if we are obliged to do so (for example, to national or supra-national supervisory or the tax authorities).
If you do not pay on time, we may transfer your personal data to third parties that we need in the context of our services (for example, bailiffs and lawyers).
We may pass on your personal data to Partners for the purpose of analyzing and developing program performance, customer opportunities and/or remarketing strategies.
We may transfer our agreement with you to another financial institution. Once the agreements have been transferred, the other party will also process your personal data. We agree with the other party that it must comply with privacy and data protection laws and regulations..
Sometimes we engage Partners and third parties for processing personal data on our instructions. For example, when a Partner supports us in providing our services to you or a company that stores data for us. These parties must first be deemed sufficiently reliable by us. We shall only engage third parties if this fits the purposes for which we process your personal data. In addition, these third parties can only be involved if they enter into proper data processing agreements with us, have implemented appropriate security measures and guarantee that your personal data will remain confidential.
If we transfer your personal data to third parties outside the European Union/the European Economic Area, we take extra measures to protect your data. In some countries outside the European Union/the European Economic Area, the rules for protecting your data are different from those that apply within Europe. If we transfer your data to other parties outside the European Union/the European Economic Area and the European Commission believes that the country in which this third party is located does not offer adequate protection in the area of personal data processing, we will only transfer your personal data if other appropriate safeguards are in place, such as the contractual agreements approved by the European Commission or on the basis of the Privacy Shield (United States).
We are committed to keep your personal data secure. To prevent unauthorized access or disclosure, we have taken technical and organizational measures to safeguard and secure your personal data. All our personnel is bound by a duty of confidentiality. Third parties which process personal data on our instructions can only be involved if they enter into proper data processing agreements with us, have implemented appropriate security measures and guarantee that your personal data will remain confidential.
a. Right to access and rectification
You can ask us to access your personal data processed by us. Should you believe that your personal data is incorrect or incomplete, then you can ask us to rectify or supplement your personal data.
b. Right to erasure (right to be forgotten)
You can ask us to erase your personal data as recorded by us. If we do not have any legal obligations or business reasons to retain your personal data, we will execute your request.
c. Right to restrict personal data
You can ask us to limit the personal data processed by us.
d. Right to data portability
You have the right to ask us to receive the personal data that you provided to us in connection with a contract with us or which was provided to us with your permission, in a structured and machine readable format or to transfer your personal data to a third party. Should you ask us to transfer personal data directly to a third party, then this can only be done if it is technically possible.
e. Right to object
You have the right to object if we process your personal data, for example if we process your personal data for direct marketing purposes. In case of us performing processing resulting in automated decision making, you have the right to request manual intervention to re-evaluate such decision. If you object to this processing, we will determine whether your personal data can indeed no longer be used for those purposes. We can then decide to cease the processing of your personal data. We will motivate our decision.
f. Right to withdraw consent
If you have given your consent to us for specific processing of your personal data, you can at any time withdraw your consent. From that moment, we are no longer allowed to process your personal data.
The requests for access, rectification, erasure, restriction, data portability, objection or a request to withdraw consent, can be send to email@example.com.
We will respond within one month after we have received your request. In specific cases, we are allowed to extend this period to 2 months. In order to process your request, we may request you to provide identification, for example in case of a request for access. We may also request you to further specify your request.
For requests, questions or complaints with regard to the processing of your personal data by us, you can contact our DPO:firstname.lastname@example.org
We will do our best to handle your query in a timely and appropriate fashion, however, in any case you feel we did not handle your query timely or appropriately, you can also contact the Danish Data Protection Agency by using the following contact details:
Borgergade 28, 5.
1300 København K
Telefon: +45 33 19 32 00
This Statement can be updated from time to time. For example, in case of additional legal requirements or if we process personal data for new purposes. Please note that you can find the latest, and the previous, version(s) of this Privacy Statement on our website www.dllgroup.com/dk.