1. Introduction
BREAL Zeta CF I Limited ("we", "our", "us") are committed to protecting the personal data of individuals associated with the companies with which we do business. BREAL Zeta CF I Limited is a specialist asset- based lender, providing businesses with hand crafted solutions to power their ambitions; our core activities involve only limited personal data processing. This notice (“Notice”) sets out how and why we collect, use, and disclose the personal data that we receive from or in relation to our current and prospective customers.
This Notice may be amended from time to time. We will post changes to this Notice on our website and any changes will take effect 30 calendar days after posting. We recognise our continuing transparency responsibilities and will take reasonable steps to bring to the attention of our customers any material changes to this Notice when they are posted.
2. Data controller
BREAL Zeta CF I Limited is the data controller. We are registered in the United Kingdom with company number 12263895, and our registered office address is BREAL Zeta CF I Limited, 14th Floor 33 Cavendish Square, London, United Kingdom, W1G 0PW.
Questions, comments, and requests regarding this Notice may be emailed to BZPrivacy@bzcf.co.uk or sent by post to the above-mentioned address.
3. What personal data we collect and why?
This section covers the different sources and categories of personal data that we collect and otherwise process, why we do so, and the lawful bases for our processing.
3.1 Individuals associated with current and prospective customers
A - Sources of Personal Data
We may obtain personal data about individuals associated with our customers or prospective customers (including their employees, officers, major shareholders, or other associated individuals) in connection with loan applications or services from the following sources:
a) the individual directly (for example, by telephone, via our website, by e-mail, when a representative of, or individual associated with, our customer fills out our forms, or in the course of providing our services);
b) our customer;
c) credit reference agencies (which may search the UK Electoral Register); d) fraud prevention agencies, CIFAS, or other organisations;
e) our own affiliates;
f) various subscription services; and/or
g) publicly available sources (for example, governmental websites, company registries, search engines and social media sites).
B - Personal Data that We Collect and Process
We have a legal obligation to carry out due diligence on our customers in compliance with various anti- money laundering, counter terrorism, anti-bribery and anti-corruption, tax, and other similar legislation prior to providing lending services to a customer. To do this, we may request personal data relating to our customers’ officers, authorised signatories, direct/indirect shareholders, trustees, settlors, protectors, and beneficial owners. We may also process the personal data of the directors of any parent or subsidiary that provides our customers with credit support. This may include:
a) a copy of a passport, driver’s licence, national identity card or any other equivalent identity document;
b) proof of residential address (for example, a copy of a utility bill, bank statement or any other equivalent document confirming the residential address);
c) the results of searches run by third parties or against publicly available information where such results may include the following categories of personal data: name, address, date of birth, directorships, convictions, disqualifications, and notices of correction; and/or
d) a specimen signature.
We may conduct real-time and/or automated screening against politically exposed persons and prohibited and/or sanctioned persons lists published by various regulators from time to time or checks through certain subscription services.
We may also collect contact details including name, title, postal address, telephone number(s) and email address, and other verification details of individuals associated with our customers. If an individual associated with our customer contacts us, we may keep a record of that correspondence.
C - Why do We Collect Personal Data and What Are Our Lawful Grounds for Doing So? Our legal obligations
We need to collect personal data about individuals associated with our customers in order to comply with our legal obligations, including:
a) for assessment and analysis necessary to prevent and detect money laundering, including but not limited to carrying out any relevant anti-money laundering and sanctions checks and fulfilling our obligations under any relevant UK anti-money laundering law or regulation (including under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017); and / or
b) to comply with any other UK regulatory obligations which apply to us.
Where an individual associated with a customer or prospective customer is unable to provide us with their personal data and review of such data is a legal or a contractual requirement in relation to the provision of our services, we may be compelled to refuse to offer our services in that circumstance.
Our legitimate interests
The personal data we collect also is used to carry out and protect our business interests including the following:
a) to manage accounts;
b) to develop and improve the services we provide to our customers;
c) to assess and analyse in order to prevent and detect fraud and other crime;
d) to carry out regulatory and sanctions checks required by foreign laws or regulations to which we or our affiliates are subject;
e) to meet our obligations to relevant non-UK government or regulatory authorities;
f) to carry out operational and administrative actions;
g) to establish and maintain commercial relationships;
h) to exercise or to defend legal claims; and/or
i) to inform our customers of products, services and events that may be of interest by various means, including by letter, telephone, messages, e-mail, and other electronic methods. Where we use electronic means of communication to provide individuals associated with our customers with marketing information, we will seek their prior consent where required by law to do so.
3.2 ACCOUNT DEBTORS
A - Sources of Personal Data
We may obtain personal data about individuals associated with our account debtors (including their employees, officers, major shareholders, or other associated individuals) from the following sources:
a) the individual directly (for example, by telephone, via our website, by e-mail, when a representative of, or individual associated with, our customer fills out our forms, or in the course of providing our services); and
b) our customer.
B - Personal Data that We Collect and Process
We may process the following categories of information in relation to individuals associated with account debtors:
a) name;
b) job title;
c) contact details (including phone number and email address); and d) associated company number.
C - Why Do We Collect your Personal Data and What Are Our Lawful Grounds for Doing So? Our legitimate interests
The personal data we collect also is used to carry out and protect our business interests including the following:
a) to manage accounts;
b) to set corporate credit limits for our customers; and c) to carry out operational and administrative actions.
3.3 SERVICE PROVIDERS AND THIRD-PARTY VENDORS (COVERING THEIR EMPLOYEES, AUTHORISED SIGNATORIES, OFFICERS, DIRECTORS, AND REPRESENTATIVES)
A - Sources of Personal Data
We may obtain personal data about individuals associated with our service providers and third-party vendors from the following sources:
a) the individual directly (for example, when they fill out our forms, sign agreements with us, or in the course of carrying out services for us);
b) the service provider; and/or
c) publicly available sources (for example, your company website).
B - Personal Data that We Collect and Process
We may request personal data relating to our service providers’ and third-party vendors’ officers, authorised signatories, and other associated individuals. This may include:
a) name;
b) job title; and
c) business contact details.
C - Why Do We Collect your Personal Data and What Are Our Lawful Grounds for Doing So? Our legal obligations
We may need to collect personal data about individuals associated with our vendors in order to comply with legal and regulatory obligations that apply to us.
Our legitimate interests
The personal data we collect may also be used for us to pursue the following legitimate business interests:
a) to communicate with you in relation to the services you provide to us;
b) to carry out operational and administrative actions;
c) to exercise or to defend legal claims;
d) to prevent illegal activity; and/or
e) to invite our suppliers to events and inform their representatives of products and services that may be of interest by various means, including by letter, telephone, messages, e-mail, and other electronic methods. Where we send individuals associated with our vendors direct marketing messages by email, we will obtain their consent where we are required to do so by law.
3.4 WEBSITE VISITORS
A - Sources of Personal Data
We may obtain personal data concerning our website visitors from the following sources:
a) from you directly when completing the “Contact Us” section of our website; b) from your device or browser; and/or
c) if you contact us, we may keep a record of that correspondence.
B- Personal Data that We Collect and Process
a) name;
b) email address; and/or
c) data from cookies that are used for our website (for more information please see our Cookie Notice.
C - Why Do We Collect your Personal Data and What Are our Lawful Bases for Doing So?
We process your personal data for the following purposes:
a) to allow you to participate in interactive features of our service when you choose to do so;
b) to respond to your queries;
c) to ensure that content from our website is presented in the most effective manner for you and for your device;
d) for the provision of support services;
e) for system administration purposes;
f) for generating and monitoring statistical data about our users' browsing actions and patterns, the number of visitors to our website, the pages visited and how long they stayed; and/or
g) to exchange personal data with affiliates, companies for the purpose of reporting, global management, carrying out monitoring, analysing our business, complying with regulatory requirements and any other purposes that are incidental to or connected with the foregoing purposes.
As described in our Cookie Notice, we will not set cookies on a user’s device unless they have consented to our doing so (for more information please see our Cookie Notice). The only exception is where the cookies in question are strictly necessary for the performance or navigation of our website.
It is in our legitimate interests, and that of our website visitors, for us to process data about their use of our website in order to improve the services and information that we provide on our website and for the security of our website operation.
Please do not submit your information to us via our website if you do not want us to process your personal data for the above purposes.
4. Sharing of your information
We share personal data relating to our customers and other business contacts among affiliates, and also with trusted third-party vendors and business partners. The purposes for these transfers are set out below. We do not sell your personal data to third parties.
A - Our Affiliates
We may disclose your personal data to affiliates for the following business purposes: a) to facilitate the credit decision-making process;
b) to carry out global AML/KYC processes; or
c) to store personal data on our central systems.
In so doing, our affiliates may be data controllers and/or data processors of the personal data that we share with them. As data controllers and/or data processors, these affiliates will process your data in line with intra-group data transfer agreements that we have entered into with the relevant members of affiliates. In line with the requirements of the UK Data Protection Act 2018 (UK General Data Protection Regulation “UK GDPR”) and the EU Data Protection Regulation (“EU GDPR”), collectively throughout this document known as “GDPR”.
B - Our Service Providers
We may disclose information about you to organisations that provide a service to us or are acting as our agents, on the understanding that they will keep the information confidential and will comply with contractual safeguards in line with the GDPR requirements.
For example, we may share your information with the following types of service providers:
a) technical support providers who assist with our website and IT infrastructure;
b) third party software providers, who may include ‘software as a service’ solution providers, where the provider hosts the relevant personal data on our behalf;
c) professional advisers such as solicitors, accountants, tax advisors, auditors, and insurance brokers;
d) money laundering and compliance search providers;
e) providers that help us store, collate and organise information effectively and securely, both electronically and in hard copy format, and for marketing purposes;
f) providers that help us generate and collate reviews in relation to our services; and/or
g) providers that help us analyse or evaluate our data collection process or customer service fulfilment.
C - Government and Regulatory Authorities
We may disclose information about you if we have a duty to do so or if required by a UK governmental, banking, taxation or other regulatory authority or similar body, or by the rules of any relevant stock exchange or pursuant to any applicable UK law or regulation or if the law allows us to do so. Otherwise, we will keep information about you confidential.
D - Credit Reference and Fraud Prevention Agencies
In some cases, we may need to share your personal data with authorised credit reference and fraud prevention agencies in order to obtain information from them that is necessary to make credit assessments and to prevent and detect fraud, money laundering and other crimes.
When considering a loan application from a customer or making lending decisions, we may request background checks on associated individuals to be carried out by credit reference agencies, which may keep a record of the search in line with their own obligations and responsibilities.
In regard to background and credit checks on individuals associated with our customers, we reserve the right to carry out further checks from any of these sources from time to time for fraud prevention and credit control purposes.
Should an unaffiliated third party request a bank or credit reference from us, or any other request for a reference that concerns you, we will not provide such a reference without your written permission.
E - Other
We may also disclose your personal data:
a) as permitted by law in order to investigate, prevent or take action regarding illegal activities, suspected fraud, violation of our intellectual property rights, situations involving potential threats to the physical safety of any person, violation of the terms of our agreements, or as required by law;
b) in the context of mergers and acquisitions, we may transfer your personal data to potential purchasers and their advisors, subject to appropriate confidentiality obligations, in the event we decide to dispose of all or parts of our business; and
c) with our advertising and promotional agencies and consultants and those organisations selected by us to carry out marketing campaigns on our behalf, subject to appropriate contractual safeguards.
5. Transfers outside the United Kingdom or European Economic Area
In general, when transferring your personal data outside the UK or EEA, we will only do so if one of the following safeguards is in place:
a) The transfer is to a non-EEA country which has an adequacy decision by the EU Commission, or the transfer is to a third country covered by UK adequacy regulations.
b) The transfer is covered by a contractual agreement, which covers the EU GDPR requirements relating to transfers to countries outside the EEA or the transfer is covered by a contractual agreement, which covers the UK GDPR requirements relating to transfers to countries outside the UK
c) The transfer is to an organisation which has Binding Corporate Rules approved by the UK government and or EU Commission.
We may occasionally rely on derogations; our basis for these transfers would be one or more of the following:
d) the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken at the data subject’s request; or
e) the transfer is necessary for the establishment, exercise, or defence of legal claims.
You may request a copy of the relevant documentation from us using the contact details provided in section 2 above.
6. Our retention policy
We retain personal data only for as long as necessary for the purposes for which the data was collected, except where necessary to meet our legal obligations (for example, in relation to AML requirements) or in order to establish, exercise or defend potential legal claims.
7. Your rights
If you are an individual covered by this Notice, you have the following rights in relation to your personal data under the GDPR:
a) to obtain information on how we handle your personal data and access documents which contain your personal data;
b) to request us to correct or update your personal data if it is inaccurate or out of date;
c) to object to the processing of your personal data where we have indicated in Section 3 above that our legitimate interest is the lawful basis for processing your data, or where decisions about you are based solely on automated processing, including profiling;
d) to erase personal data about you that is held by us:
i. which is no longer necessary in relation to the purposes for which it was collected, ii. to the processing of which you object, or
iii. which may have been unlawfully processed by us;
e) to restrict processing by us, i.e., to restrict processing to storage only:
i. where you oppose to deletion of your personal data and prefer restriction of processing instead, or
ii. where you object to the processing by us on the basis of our legitimate interests;
f) to transmit personal data that you submitted to us back to you or to another organisation in machine- readable format under certain circumstances; and
g) to withdraw your consent at any time, in the limited circumstances in which we may rely on your consent to process your personal data.
These rights are not absolute and are subject to various conditions under:
•applicable data protection and privacy legislation; and
•the laws and regulations to which we are subject.
For general questions regarding this Notice or if you at any time decide that you would like to exercise any of these rights, please contact us using the contact details provided in section 2 above.
If you are unhappy with how we have dealt with your request or concern, you have the right to file a complaint with the Information Commissioner’s Office, the UK supervisory authority. For more details, please visit the ICO’s website: https://ico.org.uk/concerns/handling/.