Privacy Notice

  1. PURPOSE OF THIS NOTICE

This notice describes how we, IDR Legal Limited (‘IDR’) collect and use personal data in accordance with and compliantly with the Data Protection Act 1998, the EU General Data Protection Regulation (GDPR) and any other national implementing laws, regulations or secondary legislation, as amended from time to time, in the UK (‘Data Protection Legislation’). 

Please read the following carefully to understand our practices regarding the personal data (as defined within the Data Protection Legislation) in our possession and the very limited ways in which we will use it.

  1. ABOUT US

IDR (in this Privacy Notice referred to as “we”, “us”, “our” and “ours”) provides legal services in cross-border debt recovery, principally for banks based in the United Arab Emirates, Qatar and Bahrain (‘Services’).  The debts which we seek to recover generally arise from credit agreements for unsecured loans and/or credit cards issued by our client banks. Even though the debts which IDR collect are governed by foreign law (rather than by the UK consumer credit legislation) we are authorised and regulated in the UK by the Solicitors Regulation Authority (SRA) in relation to the legal debt collection services provided here in the UK. Our SRA reference number is 1327993.

In the provision of our Services, we collect and retain personal data relating to (a) the bank employees from whom we take instructions (‘Clients’), all of whom are resident outside of the European Economic Union (‘EU’) and (b) other third party correspondents (for example, process servers barristers and solicitors) who are resident within the EU and therefore have legal rights under the Data Protection Legislation (‘Third Party Correspondents’).  In relation to these categories of personal data, we are the ‘data controller’ under the Data Protection Legislation which means that we are responsible for deciding how we hold and use the personal data.

Additionally in the provision of our Services, we collect and retain personal data relating to the customers of our Clients from whom we are instructed to recover outstanding liabilities (‘Customers’).  In relation to this category of personal data, we are a ‘data processor’ under the Data Protection Legislation which means that we only use (so process) the personal data in accordance the professional instructions given to us by our Clients and/or in accordance with our licenced use of data provided to us by TransUnion International UK Limited (‘TU’). In addition to this privacy notice, you are also therefore referred to TU’s own privacy notice, incorporated herein, as follows: https://www.transunion.co.uk/legal-information/bureau-privacy-notice

Peter Coyle is our Data Protection Compliance Officer (‘DPCO’) and is responsible for assisting with enquiries in relation to this privacy notice and/or our treatment of the personal data which we hold. Should you wish to contact our DPCO Protection you can do so using the contact details noted below.

  1. HOW WE MAY COLLECT YOUR PERSONAL DATA

We obtain personal data from Clients or Third Party Correspondents under the first category referenced above when:

  • An individual requests (by telephone, post or email) a proposal from us in respect of our Services; or
  • An individual engages us to provide our Services;
  • A Client provides us with contact details for those Third Party Correspondents with whom we need to communicate in order to deliver our Services.

We obtain personal data relating to Customers when:

  • It is delivered to us by our Clients as the Data Controller.

  1. THE KIND OF PERSONAL DATA WE HOLD

The information we hold about Clients and Third Party Correspondents includes the following:

  • personal contact details (name, address, telephone numbers and email addresses);
  • details of all contact/correspondence we have had in relation to the provision, or the proposed provision, of our Services;
  • details of the Services received from us;
  • details of how our Services have been (or are going to be) funded;
  • contact details for those who have introduced our Services to others;
  • information about any complaints made about our Services.

The information we hold about Customers varies more widely and can encompass ‘sensitive personal data’, as defined by the Data Protection Legislation. In order to deliver our Services, it is common, for example, to have possession of passports and other emigration/immigration documents as well as the financial records pertaining to accounts and facilities opened with our Clients (including credit card and loan applications/agreements, cheques, account statements and other banking book/records).  Additionally, we hold identification data for Customers drawn from a combination of public records (for example census records and the electoral roll) and from access via subscription to UK credit reference agencies.

  1. HOW WE USE THE PERSONAL DATA WE HOLD

Introduction

We only use personal data for the purposes of delivering our Services, on a case by case basis, and for keeping appropriate management and administrative systems in place to support the ongoing delivery of our Services.

The sharing of personal data with third parties (specifically in any instructions given to our Third Party Correspondents) is an integral part of the Services.  However the disclosure of personal data is strictly limited by (a) the instructions given to us by our clients, and/or (b) the strict legal purpose for which our Services are required and/or (c) the terms of the debt collection licence granted to us by the SRA.

We never use or share personal data relating to Customers for marketing purposes.

We never transfer personal data outside of the European Economic Union.

Subject to us satisfying the above criteria, we are permitted to process personal data without the consent of a ‘data subject’ (as defined by the Data Protection Legislation).

Data retention

We will only retain personal data for as long as is necessary to fulfil the purposes for which it is collected.

When assessing what retention period is appropriate for personal data, we take into consideration:

  • the requirements of our business and the Services provided;
  • any statutory or legal obligations;
  • any professional or regulatory obligations;
  • the purposes for which we originally collected the personal data;
  • the lawful grounds on which we based our processing;
  • the types of personal data we have collected;
  • the amount and categories of your personal data; and
  • whether the purpose of the processing could reasonably be fulfilled by other means.

Change of purpose

Where we need to use personal data for another reason, other than for the purpose for which we collected it, we will only use the personal data where that reason is compatible with the original purpose.

Should it be necessary to use personal data for a new purpose, we will notify the ‘data subject’ and communicate the legal basis which allows us to do so before starting any new processing.

  1. DATA SECURITY

We have put in place commercially reasonable and appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected data security breach and will notify any affected data subject and any applicable regulator of a suspected breach where we are legally required to do so.

  1. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below.

Your rights in connection with personal data

Under the Data Protection Legislation you have the right to:

  • Request access to your personal data. This enables you to receive details of the personal data we hold about you.
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

Please note that your rights to make the above requests (particularly relating to ‘erasure’) do not necessarily create an obligation for us to comply with the requests.  There are reasons under the Data Protection Legislation for refusing such requests which we may exercise where appropriate.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. RIGHT TO WITHDRAW CONSENT

In the very limited circumstances where express consent is required and given for the collection, processing and transfer of your personal data for a specific purpose you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact Peter Coyle at the address given below.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

  1. CHANGES TO THIS NOTICE

Any changes we may make to our privacy notice in the future will be updated on our website

This privacy notice was last updated on 1st November 2021.

  1. CONTACT US

If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please write to Peter Coyle at the following address:

IDR Legal Limited
The Island
Moor Road
Chesham
HP5 1NZ

You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s  contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone – 0303 123 1113 (local rate) or 01625 545 745

Website – https://ico.org.uk/concerns