This notice describes how we, IDR Legal Limited (‘IDR’) collect and use personal data in accordance with and compliantly with the Data Protection Act 1998, the EU General Data Protection Regulation (GDPR) and any other national implementing laws, regulations or secondary legislation, as amended from time to time, in the UK (‘Data Protection Legislation’).
Please read the following carefully to understand our practices regarding the personal data (as defined within the Data Protection Legislation) in our possession and the very limited ways in which we will use it.
IDR (in this Privacy Notice referred to as “we”, “us”, “our” and “ours”) provides legal services in cross-border debt recovery, principally for banks based in the United Arab Emirates, Qatar and Bahrain (‘Services’). The debts which we seek to recover generally arise from credit agreements for unsecured loans and/or credit cards issued by our client banks. Even though the debts which IDR collect are governed by foreign law (rather than by the UK consumer credit legislation) we are authorised and regulated in the UK by the Solicitors Regulation Authority (SRA) in relation to the legal debt collection services provided here in the UK. Our SRA reference number is 1327993.
In the provision of our Services, we collect and retain personal data relating to (a) the bank employees from whom we take instructions (‘Clients’), all of whom are resident outside of the European Economic Union (‘EU’) and (b) other third party correspondents (for example, process servers barristers and solicitors) who are resident within the EU and therefore have legal rights under the Data Protection Legislation (‘Third Party Correspondents’). In relation to these categories of personal data, we are the ‘data controller’ under the Data Protection Legislation which means that we are responsible for deciding how we hold and use the personal data.
Additionally in the provision of our Services, we collect and retain personal data relating to the customers of our Clients from whom we are instructed to recover outstanding liabilities (‘Customers’). In relation to this category of personal data, we are a ‘data processor’ under the Data Protection Legislation which means that we only use (so process) the personal data in accordance the professional instructions given to us by our Clients and/or in accordance with our licenced use of data provided to us by TransUnion International UK Limited (‘TU’). In addition to this privacy notice, you are also therefore referred to TU’s own privacy notice, incorporated herein, as follows: https://www.transunion.co.uk/legal-information/bureau-privacy-notice
Peter Coyle is our Data Protection Compliance Officer (‘DPCO’) and is responsible for assisting with enquiries in relation to this privacy notice and/or our treatment of the personal data which we hold. Should you wish to contact our DPCO Protection you can do so using the contact details noted below.
We obtain personal data from Clients or Third Party Correspondents under the first category referenced above when:
We obtain personal data relating to Customers when:
The information we hold about Clients and Third Party Correspondents includes the following:
The information we hold about Customers varies more widely and can encompass ‘sensitive personal data’, as defined by the Data Protection Legislation. In order to deliver our Services, it is common, for example, to have possession of passports and other emigration/immigration documents as well as the financial records pertaining to accounts and facilities opened with our Clients (including credit card and loan applications/agreements, cheques, account statements and other banking book/records). Additionally, we hold identification data for Customers drawn from a combination of public records (for example census records and the electoral roll) and from access via subscription to UK credit reference agencies.
Introduction
We only use personal data for the purposes of delivering our Services, on a case by case basis, and for keeping appropriate management and administrative systems in place to support the ongoing delivery of our Services.
The sharing of personal data with third parties (specifically in any instructions given to our Third Party Correspondents) is an integral part of the Services. However the disclosure of personal data is strictly limited by (a) the instructions given to us by our clients, and/or (b) the strict legal purpose for which our Services are required and/or (c) the terms of the debt collection licence granted to us by the SRA.
We never use or share personal data relating to Customers for marketing purposes.
We never transfer personal data outside of the European Economic Union.
Subject to us satisfying the above criteria, we are permitted to process personal data without the consent of a ‘data subject’ (as defined by the Data Protection Legislation).
Data retention
We will only retain personal data for as long as is necessary to fulfil the purposes for which it is collected.
When assessing what retention period is appropriate for personal data, we take into consideration:
Change of purpose
Where we need to use personal data for another reason, other than for the purpose for which we collected it, we will only use the personal data where that reason is compatible with the original purpose.
Should it be necessary to use personal data for a new purpose, we will notify the ‘data subject’ and communicate the legal basis which allows us to do so before starting any new processing.
We have put in place commercially reasonable and appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have put in place procedures to deal with any suspected data security breach and will notify any affected data subject and any applicable regulator of a suspected breach where we are legally required to do so.
Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below.
Your rights in connection with personal data
Under the Data Protection Legislation you have the right to:
Please note that your rights to make the above requests (particularly relating to ‘erasure’) do not necessarily create an obligation for us to comply with the requests. There are reasons under the Data Protection Legislation for refusing such requests which we may exercise where appropriate.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
In the very limited circumstances where express consent is required and given for the collection, processing and transfer of your personal data for a specific purpose you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Peter Coyle at the address given below.
Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Any changes we may make to our privacy notice in the future will be updated on our website
This privacy notice was last updated on 1st November 2021.
If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please write to Peter Coyle at the following address:
IDR Legal Limited
The Island
Moor Road
Chesham
HP5 1NZ
You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone – 0303 123 1113 (local rate) or 01625 545 745
Website – https://ico.org.uk/concerns
IDR Legal Limited
The Island
Moor Road
Chesham
HP5 1NZ
© 2021 IDR Legal Limited