GDPR STATEMENT

1. Who are we?

We are AAA Financial Corporation Pty Ltd ( “the Originator”, “AAA”, “we”, “our”, “us”).

Please read the following information carefully. If you have any questions about your personal data please contact us by emailing dataprotection@aaafin.co.uk or by writing to Data Protection Officer, AAA Financial Corporation, GPO Box 2629, Brisbane QLD 4001, Australia.

2.Introduction

We are committed to protecting and respecting your privacy, being completely open and transparent in the way we collect or obtain your personal data and how we treat that information. For the purposes of Regulation (EU) 2016/679 (General Data Protection Regulation), we are a data controller in respect of the information that we collect or obtain about you. This is because we determine why and how your personal data is processed. Personal data includes information relating to natural persons who:

  1. can be identified or who are identifiable, directly from the information in question; or
  2. who can be indirectly identified from that information in combination with other information.

The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering, and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in this privacy notice.

Special Category Personal Data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation. We generally do not collect Special Category Personal Data and we further restrict collection of such data unless it is necessary for us to provide our Services to you and where we have either obtained your express consent or a permitted general situation exists. For example, we may collect health information about you to assess certain claims, including hardship, or we may collect voice and video call information to verify your identity or authorise transactions.

Credit Information is information which we use to assess your eligibility to be provided with credit and may include any credit that you have outstanding, your repayment history and any defaults. Usually, credit information is exchanged between credit providers and credit references agencies. We may use credit eligibility information being credit reporting information supplied to us by a credit reference agency, and any information that we derive from it to make decisions regarding your eligibility for credit.

3. Personal data collected on our Website

We do not collect your personal data on our website.

4. Wish to Stay Anonymous?

You can withhold your personal data when speaking with us if you are making a general enquiry. However, if you wish for us to provide you with our Services, we will need to identify you.

5. How your information is collected

Most information will be collected from you personally, this can be taken by us:

  1. if you call or email us;
  2. when we provide our services to you;
  3. when we manage our customer relationships and service provider relationships;
  4. from credit reference agencies and from mortgage brokers, your representatives and other people such as accountants and lawyers;
  5. if you provide us with feedback or make a complaint;
  6. your information that is in the public domain;
  7. if you subscribe to our distribution or marketing lists;
  8. from third parties for e.g., following an introduction to us by another third party or comparison website; and
  9. other information that may be collected including details provided on a resume sent to us relating to an employment opportunity.

We may obtain your credit related personal data:

  1. When making an application or negotiating with a lender on your behalf.
  2. From a credit reference agency when we have obtained your credit report with your consent.
  3. We may also receive your personal data from another party by any other means. If we do, we will apply the applicable data protection legislation in deciding whether it is lawful to keep the information received.
  4. We may also receive your personal data from third parties that we deal with on your behalf including brokers, the Credit Provider and from our other service providers.
  5. Any information we receive that we are not lawfully required to hold will be deleted or destroyed.

6. Why we process your personal data

The main reason we collect your personal information and credit-related personal information is to assess your application, to provide you with the product or service that you have requested (including where applicable, third-party products and services), to assess any future applications for products or services you may make to us or our Affiliates, or to help us run our business.

This includes:

  1. confirming your identity;
  2. confirm your details (for example contacting your employer to confirm your employment and income details)
  3. checking whether you are eligible for our Services;
  4. assisting you where applications are not completed;
  5. providing our products or Services to you, including administration of our Services and notifications about changes to our Services;
  6. helping manage the Service that we provide to you;
  7. helping us develop insights and conduct data analysis to improve the delivery of products, services, enhance our customer relationships and to effectively manage risks;
  8. minimise risks and identify or investigate fraud and other illegal activities;
  9. comply with laws and assist government or law enforcement agencies;
  10. record-keeping purposes, technical maintenance, obtaining or maintaining insurance coverage, managing risks or obtaining professional advice, managing our business – that is, to carry on our business activities and provide our Services to you;
  11. to prevent fraud, crime or other activity that may cause harm in relation to our Services and help us run our business and maintain integrity;
  12. bringing you new products and services;
  13. understanding your interests and preferences so we can tailor digital content;
  14. We may use your personal information and credit-related personal information to perform our business functions (for example internal audit, operational risk, product development and planning).
  15. as permitted by law and to comply with legislative or regulatory requirements in any jurisdiction, for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure, to prevent; and
  16. in addition to the specific purposes for which we may process your personal data set out above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligations to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

If you are a guarantor we collect your personal information and credit-related personal information to assess whether to accept you as a guarantor for credit applied for, or provided to, the borrower. Collection of some of this information is required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. If the borrowing entity provides incomplete or incorrect information we may be unable to provide them with the product or service they are applying for.

We may need to collect personal information and credit-related personal information about a third party from you as part of this application. If we do this, you agree you will advise that person that we have collected their information.

We may also use your personal data to tell you about our Services we think may interest you or for a purpose related to the primary purpose of collection or where you would reasonably expect that we would use the information in such a way, subject to legal restrictions on using your personal data for marketing purposes.

We may also de-identify your personal data which we have collected for the purposes described in this privacy notice. If we are dealing with a request you have made in order to exercise your legal and regulatory rights (including those referred to in the ‘Your rights under applicable data protection legislation’) below, this will be done in compliance with applicable data protection legislation.

Any consent that you give can be withdrawn by emailing dataprotection@aaafin.co.uk. Withdrawing your consent does not affect the lawfulness of any processing which occurred prior to the withdrawal of consent. If you withdraw your consent, we will stop processing your personal data.

7. Who your personal data may be shared with

We may disclose your personal data:

  1. to any member of our corporate group of companies insofar as reasonably necessary for the purposes of this privacy notice and providing our Services, and on the legal bases allowed under the applicable data protection legislation and as set out in this privacy notice;
  2. to prospective funders or other intermediaries in relation to your credit requirements;
  3. to joint account holders, account operators and account applicants;
  4. to other organisations that are involved in managing or administering your credit such as third-party suppliers,brokers, lenders mortgage insurers, valuers, third party service providers, service providers for the purposes of verifying your identity, surveyors, accountants, credit reference agencies, recoveries firms, debt collectors, lawyers, call centres, printing and postal services;
  5. organisations to whom we outsource functions such as mailing and printing houses, IT providers, our agents and specialist advisers such as accountants and solicitors. Other disclosures usually include joint account holders, account operators and account applicants,
  6. to regulatory and supervisory bodies;
  7. to companies that provide information and infrastructure systems to us;
  8. to anybody who represents you, such as mortgage brokers, lenders, your representatives, lawyers, and accountants;
  9. related entities and third-party service providers who assist us in our operations and certain tasks including the verifying of your identity and information technology services;
  10. to our suppliers or subcontractors insofar as reasonably necessary to provide the relevant Services to you;
  11. to anyone, where you have provided us with your consent;
  12. where we are required to do so under anti-money laundering and counter-terrorism laws;
  13. to investors, agents or advisers, or any entity that has an interest in our business; or
  14. to your employer or referees.

Prior to disclosing any of your personal data to another person or organisation, we will take all reasonable steps to satisfy ourselves that:

Circumstances may arise where, whether for strategic or other business reasons, we decide to sell, buy, merge or otherwise reorganise our business in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers or receiving it from sellers. It is AAA’s practice to seek appropriate protection for information, including personal data, in these types of transactions.

8. Overseas Recipients

Prior to disclosing your personal data to an overseas recipient, unless a permitted general situation applies, we will take all reasonable steps to ensure that:

  1. the overseas recipient does not breach the applicable data protection legislation;
  2. the overseas recipient is subject to a law, or binding scheme, or contractual terms that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way your personal data is protected under the applicable data protection legislation; or
  3. you have consented to us making the disclosure.

Acceptance of any of our Services via an application in writing, orally or electronic means, will be deemed as giving consent to the disclosures detailed herein.

Currently we are handling, storing, and processing your data in the following locations Australia, Malaysia, Singapore, Hong Kong, China and USA through the use of our cloud storage, technological products and services via other service providers.

The locations where we handle, store and process your data may change as our business needs changes and we appoint other service providers from time to time. Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.

9. Direct Marketing

We may use your personal data for direct marketing. This means we may send information to you that relates to promotions.

You have the right to object to our processing of your personal data for direct marketing purposes. If you make such an objection, we will cease to process your personal data for this purpose.

If you do not wish to receive marketing information, you may at any time decline to receive such information by contacting us using the contact information set-out in the ‘Introduction’ section of this privacy notice. If the direct marketing is by email, you may also use the unsubscribe function.

We will not sell your personal data to other companies or organisations.

10. Automated decision making

AAA do not use automated decision making (i.e., processing that is carried out without human intervention).

In order to provide efficient tools to our network of mortgage brokers we offer online calculator tools which assist with automated decision making on maximum borrowing capacities and serviceability indexing, however in all circumstances human intervention and decisioning has final word on credit outcomes.

11. Fraud Prevention

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. The information we hold about you could make it easier or harder for you to get credit in the future. To find out more about the fraud prevention agencies we use and how they manage your information, please visit cifas.org.uk/fpn If you have any questions about this, please contact us.

12. Credit information

Credit Reference Agencies (CRA) are authorised by law to handle your credit related information. If you apply for credit, we may disclose your personal data to, or collect personal credit related information from a CRA and other credit lending entities. CRAs may include credit related information provided by us in reports provided to other credit providers to assist such other credit providers to assess the individual’s credit worthiness. As permitted by law, we may collect, hold, use or disclose credit related information held about you for the purposes of:

  1. credit liability information being information about your existing credit which includes the name of the credit provider, whether the credit provider holds an appropriate licence, the type of credit, the day the credit is entered into, the terms and conditions of the credit, the maximum amount of credit available, and the day on which the credit was terminated;
  2. repayment history information which is information about whether you meet your repayments on time;
  3. information about the type of credit that you have applied for;
  4. assessing and forming decisions as to whether to provide you with credit or to accept a guarantor;
  5. participating in the exchange of credit related information with other credit providers including obtaining from and providing information to CRAs and other credit providers and/or trade suppliers;
  6. to assist you with debt management and administration;
  7. to provide you with our Services;
  8. default and payment information;
  9. to undertake debt recovery and enforcement activities, including in relation to guarantors, and to deal with serious credit infringements;
  10. court proceedings information;
  11. to deal with complaints and meet legal and regulatory requirements; and
  12. to assist other credit providers to do the same.

When we obtain credit information from a CRA about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed. When Credit reference agencies receive a search from us, they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRA’s will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRA to break that link.

13. Credit Information handling and Credit Reporting

In assessing your credit application and providing the Services to you, we may exchange your personal data, as well as your consumer and commercial credit information with the following entities, including but not limited:

  1. to obtaining credit information about you from Experian Limited (Experian) and we may provide to Experian your personal data with respect of your credit information and credit report and your data protection rights with Experian as a credit reference agency are explained in more detail in their information notice at: experian.co.uk/crain/index.html;
  2. other credit providers for the purposes of assessing your creditworthiness, credit standing, and credit history or credit capacity;
  3. finance brokers, mortgage managers, lawyers and such other persons who assist us to provide our Services to you;
  4. Our funders that we may use to provide the Services to you.
  5. If you have been or have a reasonable belief that you are likely to be a victim of fraud, you can contact Experian’s victim of fraud support team who may be able to help you clear up your credit report after you have been a victim of ID fraud.

14. Privacy Policy and Credit Reporting Policy

You can refer to the Privacy Policy and Credit Reporting Policy of your Originator, Lender, Credit Reporting Body on the links provided in the “Schedule”.

Our Privacy Policy contains information about:

  1. how you can access and seek correction of your personal information;
  2. >how you can complain about a breach of the privacy laws by us and how we will deal with a complaint;
  3. if we will disclose personal information to overseas entities, and where practicable, which countries those recipients are located in.

Our Credit Reporting Policy contains information about:

  1. how you can access and seek correction of your credit eligibility information;
  2. how you can seek correction of your credit information;
  3. how you can complain about a breach of the credit reporting laws by us and how we will deal with a complaint;
  4. if we disclose your credit information or credit eligibility information to overseas entities, and where practicable, which countries those recipients are located in.

Our Privacy Policy and Credit Reporting Policy is available upon request or can be found on the website noted below.

Schedule

In this Notice, the “Lender” means each and every one of the following organisations (whether acting individually or together):

Lender (and their associated entities) RCN Its privacy policy is set out at...
ColCap Financial UK Limited 14127877 https://colcap.co.uk/privacy-policy/
Molo Tech Ltd 10510180 https://molofinance.com/terms-and-cond/privacy-policy/
 
In this Notice, the " Credit Reporting Body” means each and every one of the following organisations (whether acting individually or together):
Credit Reporting Body RCN Its privacy policy is set out at...
Experian 00653331 https://www.experian.co.uk/privacy/
 
Originator ABN Its privacy policy is set out at...
AAA Financial Corporation Pty Ltd 83 065 481 505 www.aaafin.co.uk/privacy.html

15.Agreement to collection, use and disclosure of your credit-related personal information

By signing this application you agree that we can do all of the following:

  1. Commercial credit-related personal information: Seek and use commercial credit-related personal information to assess an application for consumer credit or commercial credit.
  2. Consumer credit-related personal information: Seek and use consumer credit-related personal information to assess an application for consumer credit or commercial credit.
  3. Collection of overdue payments: Seek and use a credit report provided by a credit reporting body to collect overdue payments.
  4. Exchange of information between credit providers: Seek from and use or give to another credit provider (including a credit provider who has lent money on the same security) any information or opinion about credit worthiness, credit standing, credit history or credit capacity.
  5. Exchange of information with intermediaries: Seek from and use any consumer or commercial credit-related information from or disclose that information to, any introducer, financial adviser, accountant, originator, lawyer, or other intermediary (including any intermediary mentioned on the front page of this application form) acting in connection with any credit applied for or provided.
  6. Provide credit information to credit reporting bodies: In this privacy disclosure statement, the “Credit Reporting Body” means each of the organisations (whether acting individually or together) listed in the “Schedule”, we give to a Credit Reporting Body credit information. Credit information includes, to the extent applicable:
    • identification information;
    • consumer credit liability information;
    • repayment history information;
    • a statement that an information request has been made in relation to you by us, or a mortgage insurer or trade insurer;
    • the type of consumer credit or commercial credit, and the amount of credit, sought in an application:
      • that has been made by you to us; and
      • in connection with which we have made an information request in relation to you;
    • default information;
    • payment information;
    • new arrangement information;
    • court proceedings information;
    • personal insolvency information;
    • publicly available information:
    • that relates to your activities in Australia or the external Territories and your credit worthiness; and
    • that is not court proceedings information about you or information about you that is entered or recorded on the National Personal Insolvency Index; in our opinion that you have committed, in circumstances specified by us, a serious credit infringement in relation to consumer credit provided by us to you. The Credit Reporting Body may include the information given by us in reports provided to other credit providers to assist them to assess your credit worthiness. The Credit Reporting Body has a policy for managing your credit information that you may access by contacting them. In some cases a Credit Reporting Body may use your information for pre-screening your eligibility to receive direct marketing from us or other credit providers. If you do not want a Credit Reporting Body to do this contact the Credit Reporting Body. Where you believe on reasonable grounds that you have been or are likely to be a victim of fraud you may request a Credit Reporting Body not to use or disclose your information.
  7. Seek and use information from Fraud Prevention Agencies: The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in the Lender’s Privacy Policy.
  8. Provide information for securitisation: Disclose any report or information to another person in connection with funding by means of an arrangement involving securitisation.
  9. Provide information to guarantors: Disclose any information to any person who proposes to guarantee or has guaranteed repayment of any credit provided.
  10. 16. Updating your personal data

    It is important to us that the personal data we hold about you is accurate and up to date. During the course of our relationship with you, we may ask you to inform us if any of your personal data has changed.

    If you wish to make any changes to your personal data, you may contact us. We will generally rely on you to ensure the information we hold about you is accurate or complete.

    17. Your rights under applicable data protection law

    Your personal data is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact us using the contact information set-out in the ‘Introduction’ section of this privacy notice if you wish to do so, or if you have any queries in relation to your rights.

    In this section we have summarised the rights that you have under applicable data protection laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

    The summary of your principal rights under applicable data protection laws are:

    1. to request, at any time, for us to inform you of the personal data we hold about you;
    2. the right to access your personal data and we will respond to you within 30 days of making a request;
    3. the right to rectification of your personal data;
    4. the right to erasure (where we have no legitimate right or business requirements to retain your personal data);
    5. the right to restrict or object to processing (where we have no legitimate right or business requirements to process your personal data);
    6. you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you;
    7. the right to data portability which includes the right to receive, move, copy or transfer your personal data to another controller;
    8. the right to complain to a supervisory authority; and
    9. the right to withdraw your consent (where we have no legitimate right or business requirements to retain or process your personal data).

    We may refuse to give you access to personal data we hold about you if we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to the public health or safety, where giving access would be unlawful, where giving access would have an unreasonable impact on the privacy of other individuals, if there are legal proceedings, or if we consider the request to be frivolous or vexatious.

    18. Children’s privacy

    We are committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. We only collect information relating to children under the age of 18 as it pertains to their legal guardians financial obligations. We do not directly collect information from children under the age of 18. We do not offer or target our services to individuals or their entities/companies under the age of 21.

    19. Keeping your personal data secure

    We are committed to protecting the information you provide us. To prevent unauthorised access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, we have in place appropriate technological and operational procedures to safeguard the information we collect.

    We will take reasonable steps to protect your personal data by storing it in a secure environment. We may store your personal data in paper and electronic form. We will also take reasonable steps to protect any personal data from misuse, loss and unauthorised access, modification or disclosure.

    If we are no longer required or wish to keep your personal data for the purpose it was collected, we will securely destroy it or remove all identity features from the information unless we are legally required to keep it for a period of 6 years after an account is closed.

    20. How we monitor your communications

    Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.

    21. How long will your personal data be stored for

    We only keep your personal data for as long as it is necessary to fulfil the purposes for which it is processed (as described above). In accordance with our retention policy, we will retain your personal data for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account) or when your application has been declined. Please note that if your personal data is shared with third parties (as detailed above) they may have different retention policies. Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years.

    22. What to do if you have concerns or want to make a complaint

    If you have any concerns regarding our use of your information, please notify our as soon as possible using the contact information set-out in the ‘Introduction’ section of this privacy notice.

    23. Changes to this privacy notice

    We may update this GDPR statement from time to time by publishing a new version on our website. You should check www.aaafin.co.uk/gdpr.html occasionally to ensure you are happy with any changes to this privacy notice and keep a copy for your records.