Lowell is about people – our customers, our clients, our colleagues, our suppliers and our business partners. Each of these relationships is built on trust – a trust we earn by protecting your information and privacy. Whatever your relationship with Lowell, we make these promises to you about how we will use, handle and protect your information. How we use your information depends on the nature of our relationship with you.
If you would like a copy of our Privacy Promise or any of our privacy notices, please contact us. If you would like to hear a recording of our privacy notices please call:
Calls to these numbers are free from landlines. Charges from mobile networks may vary so please check with your provider before calling.
Being open and honest is at the heart of all we do.
We will only use your information for the purposes we’ve told you about in our privacy notice, which you will find by selecting the relevant link above.
The information we collect about you depends on your relationship with us, select the relevant link above to find out more.
We do what we reasonably can to check the information that we collect is accurate and to keep it up to date. If you spot a mistake in your information, you can call, write or email us to ask us to correct it.
We have a retention policy that sets limits on the length of time we keep your information. How long we keep it varies, depending on the type of information and the reason why we are using or keeping it.
Select the relevant link above to find out more.
Keeping information secure is a top priority for Lowell. We have put appropriate security measures in place to protect your information including being ISO27001 certified, which means that we meet the internationally recognised standards for managing risks to the security of the information we hold.
For details of your privacy rights and how you can exercise them, please select the relevant link above.
You can raise any concerns you may have about our handling of your information by writing to our Data Protection Officer at the contact details below.
If you are not happy with the outcome, you also have the right to raise your concern with the Information Commissioner’s Office.
We will only collect, use and share your information where we have a lawful reason for doing so. This is known as the “legal basis” and we are required to tell you what the legal basis is for each of our activities which involves your information.
You will find the legal basis together with other details about how we use your information by selecting the relevant link above.
We provide you with detailed information about how we use your information to make sure that we are fair and transparent.
Our Privacy Team handle requests for all of our UK companies so you only need to submit one
request. Please tell us in your request which companies and accounts you’d like us to include and we’ll be happy to help.
We have a legitimate interest in holding and processing the data we use in order to collect any amounts you owe. As we have a legitimate interest we do not need to rely on your consent for the majority of the data we hold about you. We only ask for your consent in relation to the information you provide to us over the phone about your physical or mental health. If you withdraw your consent, we will remove any such information from your account. This will not affect the lawfulness of any processing of this information that we have carried out before you withdrew your consent. We may also process some information about you to comply with our legal, regulatory and professional obligations, for example under the anti-money laundering and counter-terrorist financing legislation and for crime and fraud prevention.
Yes, you can make a request on behalf of another person. You will need to provide evidence that you are entitled to act on their behalf, such as a written authority to make the request or a general power of attorney. If you can’t provide appropriate evidence we will send the response directly to the individual.
We will do our very best to fulfil your request within one month. In some circumstances, we may write to you extending this time period by an additional two months. This may happen where your request is complex or you have made a number of requests. We are allowed to extend the timescale for responding to you in this way under Article 12(3) of GDPR. If your request is for access to information and there is any specific information which you require copies of, please let us know what this is and we may be able to respond more quickly.
The Information Commissioner’s Office (ICO) have said that the ‘one month’ timescale for privacy requests should be calculated from the day the request is received (whether this is a working day or not) to the corresponding calendar date on the next month.
You can read their advice on the following link: https://ico.org.uk/your-data-matters/time-limits-for-responding-to-data-protection-rights-requests/
A company receives a request on 3 September. This gives the company until 3 October to comply with the request.
If this is not possible because the following month is shorter and there is no corresponding calendar date, the company has to comply with the request on the last day of the following month. If the corresponding calendar date falls on a weekend or a public holiday, the company has until the next working day to respond.
This means that the exact number of days a company has to comply with a request varies, depending on the month in which the request was made.
A company receives a request on 31 March. As there is no equivalent date in April, the company has until 30 April to comply with the request.
If 30 April falls on a weekend, or is a public holiday, the company has until the end of the next working day to comply.
When you submit a SAR we will review the information we process and provide you with:
If you would like all of the personal information we process about you, then we’re happy to provide it. We want to help you find the information you need as quickly as we can so if there is anything specific that you require, please let us know what this is and we may be able to respond more quickly.
You are entitled to a copy of your own personal information but not to information about other people (unless you are authorised to act on behalf of another person). You are not entitled to information which we do not hold or which is not within our control. We will not provide you with information which is subject to legal professional privilege or any of the other applicable exemptions under data protection legislation.
We will provide you with the personal information which we process about you. Our response will not contain:
A SAR response includes a copy of your personal information which we process. The deed of assignment or contract of novation itself does not contain any specific details which would identify you as an individual whose debt is being purchased. The contract is therefore not part of the information which you are entitled to. The contract does refer to a separate document known as a sale file which contains the details of all the debts being purchased. The information relating to you which is contained in that sale file is in the originating creditor information sections of your SAR response.
We do not hold pricing information on our systems from which you can be individually identified. As this is not personal information about you, it is therefore not part of the information which you are entitled to.
If the agreement has been previously requested from the originating creditor and is held by Lowell, this will be provided.
The scope of a SAR includes information we hold. In most cases, we are able to provide copies of letters we have sent to you. In a small number of cases, the letters are not held in our systems.
Where this is the case, we will provide you with information from your account about the letters without providing a copy of the letter itself.
We may also send copies of letters we have sent that contain variable fields, these letters are not a full representation of the actual letter we sent at the time.
If the original letter we sent you is no longer stored on our system, we will not be able to include this in your SAR.
When can I ask for my information to be erased?
You can ask for your information to be erased at any time.
The right to erasure only applies in certain circumstances including:
When we receive your erasure request, we will review the information we hold about you. We will erase any information that we no longer need, any health information that you have provided to us over the phone and any other information that we are legally obliged to erase.
We will not delete any information that we are legally required to keep, for example under the anti- money laundering and counter-terrorist financing legislation. We will also keep any information that we are required to keep by any regulatory authorities.
We will not delete information that we need in order to administer and manage your accounts or that we need to establish, exercise or defend legal claims, for example, where there are ongoing court proceedings.
We will keep your information on our systems until we no longer need it either to administer and manage your accounts or to comply with our legal, regulatory, professional and corporate governance obligations.
We only keep your information for as long as we need it and we will keep your information for no more than 7 years from the date you cease to have any active accounts with us. We keep your information for this long so that we can:
However, we won’t keep all of your information for so long, and we will delete some information much sooner, for example, we only retain call recordings for 18 months.
We have a retention policy which we have written by considering all the different types of information that we hold about you, understanding how long we need to keep it for and agreeing not to keep it for any longer.