Authorised third party privacy notice

I am an authorised third party

This is our privacy notice explaining how we use your personal information as an authorised third party with Lowell.
If you would like a copy of this privacy notice or if you have any questions about how Lowell Financial Ltd and Lowell Portfolio I Ltd use and share your personal information, please contact our Data Protection Officer by:
  • email at dpo@lowellgroup.co.uk
  • letter at Data Protection Officer, Lowell Financial Limited, PO Box 13079, Harlow, CM20 9TE
Our Data Protection Officer deals with data protection for all our UK companies, so whichever Lowell company your question, concern or complaint relates to, please contact our Data Protection Officer using these contact details.

Who are we?

You are an authorised third party with one of the UK Lowell companies:

Company

Lowell Financial Ltd

Lowell Portfolio I Ltd

Company number

04558936

04857418 

ICO Registration

Z8222569

Z7273861

Country

Incorporated in the UK

Incorporated in the UK

Registered office

 

No. 1 The Square, Thorpe Park View, Thorpe Park, Leeds, LS15 8GH

No. 1 The Square, Thorpe Park View, Thorpe Park, Leeds, LS15 8GH

 
Where we use “Lowell”, “we”, “our” or “us” in this notice, we mean Lowell Portfolio I Ltd and Lowell Financial Ltd unless we say otherwise.
You have been added to a customer’s record(s) as an authorised third party. This means you are able to manage their debt(s) on their behalf. We have more information about you can support someone with their finances here.

What information do we collect about you?

We collect:
  • Your name
  • Address
  • Date of birth
  • Contact details
  • Details of your relationship with our customer
  • Details of the extent of the authorisation you have been granted 
  • If you make a payment by credit or debit card, we process your card information for the purposes of taking your payment, but we do not store your card details unless you consent to us doing so and
  • Evidence of authority to act on behalf of the customer such as Lasting Power of Attorney or a Court of Protection Order (if applicable)
  • We do not collect special category information or criminal records data intentionally from you, however if you disclose these types of information within your communication with us, it will be recorded as part of the communication.

Where do we get your information from?

Information that you give us

You may provide us with updated contact details for yourself in any communications with us by telephone, email, online chat, post, social media or otherwise, whether this is in connection with the customer’s debt(s) or to report an issue, ask questions or make a complaint.

Information that we collect about you

We will collect information about you from the customer when they provide your details to us to enable us to discuss their debt(s) with you.

Call recording

We may monitor and/or record calls for the purposes of resolving issues, training and to improve our quality and service standards.

CCTV images

We operate CCTV at all of our premises. If you visit any of our offices, you may be recorded by our CCTV system. 

Why do we need your information?

We need your information in order to add you as an authorised third party on an account. This will enable you to support your partner, friend or relative with managing their debt(s) with us. This could be for a short period to help the person recover from a difficult experience or for a long period, for example, when our customer has a long-term illness or a loss of mental capacity (the ability to make their own decisions).
We process your information on the basis of “legitimate interests”, we must make sure that those legitimate interests do not override your interests, rights and freedoms. We must do this by carrying out a legitimate interest assessment. This is set out below.

What are the legitimate interests?

  • As we have bought the customer’s debt(s), it is in our commercial interests to collect the debt that is owed under the agreements that the customer has entered into.
  • We will always deal with the customer’s debt(s) in the way we believe is in the customer’s best interests.  This includes agreeing a payment plan which is tailored to the individual circumstances of the customer and you as an authorised third party to help reduce the amount that is owing.
  • We provide additional support to those individuals who may be vulnerable.
  • It is also in the public interest for debt(s) which are properly owed to be repaid. This is important for the economy as it helps to keep the cost of borrowing down and means that people continue to have access to credit.

Why is it necessary?

If we don’t process your information, we can’t:
  • Make sure we are dealing with the correct person when discussing the customer’s debt(s)
  • Make sure that the information we hold about you is correct 
  • Collect the amounts that the customer owes
  • manage the customer’s debt(s) in the way that we believe is in the customer’s best interests
  • Agree a payment plan with you 
  • Provide you with additional support when you need it and
  • Provide the credit reference agencies with accurate and up to date information about the customer’s debt(s) that are owing.

What is the impact on you?

We collect, use and share your information as set out in this privacy notice, which means that we and the third parties we’ve told you about have access to your information.
Lowell Financial Ltd are authorised by the Financial Conduct Authority which means that we are required to act fairly, ethically and lawfully in addition to complying with our own high standards.
We also minimise the impact on your data protection rights, interests and freedoms by:
  • Making sure we comply with the data protection rules including the UK Data Protection Act 2018 and UK GDPR
  • Only collecting the minimum amount of information we need to carry out our debt(s) collection activities
  • Having a retention policy to make sure that we don’t keep your information for any longer than we need it
  • Carrying out data protection impact assessments to make sure that we identify any potential privacy risks and put appropriate measures in place to protect you from those risks
  • Carrying out due diligence on the third parties we work with and making sure that we have contracts in place with those third parties to protect your personal information
  • Providing you with this privacy notice which explains how we use your information, what your rights are and how to exercise them and
  • Putting in place appropriate security measures to protect your information including have an ISO27001 certificate, which means that we meet the internationally recognised standards for managing risks to the security of the information we hold.

Who do we share your information with?

We sometimes need to share some of your information with other organisations.

Information that we share with other companies in the Lowell group

We may share your information with other members of the Lowell group of companies: 

·         if we instruct them to act on our behalf in connection with our customer’s debt(s)

·         for our internal administrative purposes

·         including any company associated or otherwise connected with the Lowell group if we transfer our customer’s debt(s) to them whether as part of a group reorganisation or otherwise.  If we transfer our customer’s debt(s) to another member of the Lowell group, Lowell Financial Ltd will continue to manage our customer’s debt(s) on behalf of the new owner of the customer’s debt(s) and your personal data will continue to be used and shared as set out in this privacy notice. 

 

For details of the UK companies in the Lowell group, please see the section 'Who are the Lowell group' below.

Information that we share with other authorised third parties

If the customer has authorised multiple people or debt management companies such as Step Change, Pay Plan or Money Wellness to manage their debt(s) with us, then we may discuss your activity managing the debt(s) with the other authorised third party.

Information that we share with our third party suppliers

We use a number of carefully selected third parties to supply us with products and services, such as our IT and mailing services.

The information that we share with our suppliers will depend on the nature of the products and services that they provide to us but we will only share the minimum amount of your information which is necessary for them to provide us with the products and services we need. 

This may sometimes involve your information being shared or stored outside of the UK and outside the European Economic Area. 

Information that we share with the original creditor

We may share some limited information with the previous owner of the customer’s debt which may include call recordings and information about the debt with our clients and prospective clients for quality assurance purposes.

Information that we share with other third parties

If we or any member of the Lowell group of companies merges, transfers or sells part or all of its business or assets or any of the share capital of Lowell Portfolio I Ltd or Lowell Financial Ltd to a third party, your personal information may be disclosed to that third party and its advisers for the purposes of negotiating and completing the merger, transfer or sale.  If the merger, transfer or sale does complete, that third party may use or disclose your information as set out in this privacy notice.

We may also share your information with our investors, insurers, lenders, legal and other professional advisers where necessary.

 

Where is your information stored?

Your information is generally stored on servers and filing systems in the UK but from time to time it may be stored in or accessed from countries outside the UK. Where this may happen, we always make sure that there are appropriate safeguards in place, such as the standard contractual clauses, international data transfer agreements or binding corporate rules, to guarantee that your information, and your rights , are protected to the same high standard as under UK law.

How do we safeguard your information when it is transferred outside of the UK?

We sometimes need to share some of your information with other organisations who are not in the UK, therefore we need to include further safeguards in order to ensure your information is safe.

 

Adequacy Decision

Where a county has been granted adequate by the European Commission, this means they have been found to offer the same level of safeguarding as the UK and therefore are safe countries to transfer information to and no extra contractual obligations are required in order to transfer your information.  

 

A list of countries with adequacy is linked here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Standard contractual clauses

These are a set of standard clauses which have been recognised by the European Commission and the Information Commissioner’s Office as providing adequate protection to personal information transferred outside the EU or UK

When we include these clauses in a contract with one of the companies we work with, it means that if they transfer your information outside the EU or UK they must make sure that your information is just as safe as it is in the EU or UK.

As part of this, a transfer impact assessment is also completed to identify any risks with the information sharing. This enables us to put extra protections in place before we decide whether to transfer your information.

A copy of the standard contractual clauses is linked here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

Internation Data Transfer Agreement (IDTA)

This is a transfer mechanism that has been created by the Information Commissioners Office which provides sufficient protection to personal information transferred outside the UK to restricted countries outside of the EU.

 

A copy of the IDTA is linked here: international-data-transfer-agreement.pdf (ico.org.uk)

Binding corporate rules

These are a way for large groups of companies which are based in lots of countries around the world to transfer personal information to companies in their group in a way that complies with the UK data protection laws. The binding corporate rules must be approved by the data protection regulator before the group of companies can adopt them. 

When one of the companies we work with uses binding corporate rules, it means that if they transfer your information outside the UK, they have procedures in place to make sure that your information is handled in a way that makes sure that your information is just as safe as it is in the UK and EEA.

 

A list of the Binding corporate rules is linked here: BCRs approved under UK GDPR | ICO

How long do we keep your information?

We only keep your information for as long as we need it.
We have a retention policy which we have written by considering all the different types of information that we hold about you, understanding how long we need to keep it for and agreeing not to keep it for any longer.

Do we carry out profiling and automated decision-making?

We do not carry out profiling or any automated decision-making using your information.

What rights do you have?

Under the data protection laws, you have a number of rights in respect of your information and the way we use it. Some of these rights only apply in certain situations. We explain below what rights you have, what these mean and how they apply to the way we use your information.

You have the right to

What does this mean?

How does this apply to the way we use your information?

Access your information

You can ask for: 

  • confirmation that we process your personal information
  • a copy of your personal information that we hold and
  • other information about how we process your information.

We will provide you with a copy of your personal information which we hold unless the data protection laws provide an exception that we decide to rely on, for example where there are ongoing court proceedings. We may also redact out the names of any other individuals to protect their privacy.

Wherever possible, we will provide you with a copy of your personal information in the same manner you make your request unless we agree otherwise with you.

This privacy notice also includes the other information you can ask for about how we process your information.

Have your information rectified

You can ask us to rectify your information if it is not accurate, incomplete or up to date.

We will update or correct your information, although sometimes we may need to ask you to provide evidence to confirm the changes, for example a copy of your marriage certificate if you are changing your name because you have got married.

Have your information erased

This is also known as the right to be forgotten.

You can ask us to delete your information where: 

  • we no longer need it
  • we rely on your consent to use your information and you withdraw it
  • you object to our processing it and we have no overriding legitimate grounds to continue processing it or
  • we are legally required to delete it.

This right does not apply where: 

  • we are legally required to keep your information
  • we have a compelling legitimate ground for using your personal information or
  • we need your information to establish, exercise or defend legal claims, for example where there are ongoing court proceedings.

As we rely on the fact that we need your information to (a) comply with our legal obligations or (b) protect you where it is a matter of life and death for most processing of your personal information, we will only be able to delete your personal information: 

  • if you have the right to object to our processing your personal information and to carry out your request we have to erase your information and
  • where we no longer need your information. Although our retention policy means that we will delete your information once we no longer need it. Please see the section How long do we keep your information? above for more details.

Restrict our processing of your information

You may ask us to restrict our processing of your personal information where: 

  • you believe the information we hold about you is inaccurate while we check whether it is accurate
  • we no longer need your information but you need it to establish, exercise or defend a legal claim or
  • you object to our processing your personal information while we reconsider our legitimate interests assessment.

We will not process your personal information whilst we consider your request. However, we will still be able to process your personal information for the purposes of any ongoing court or other legal proceedings.

We will inform you if we begin processing your personal information again and explain why.

Have your information transferred to you and/or a third party

This is also known as the right to data portability.

You can ask us to provide you with a copy of the information which you have provided to us and which we hold electronically.

This right only applies to the information which you have provided to us which we hold electronically. 

We will provide this information to you in a commonly-used and machine readable format.

Object to our processing of your information, including profiling

You can object to our use of your information, including profiling unless: 

  • we have compelling legitimate grounds for using your information or
  • we need to use your information to establish, exercise or defend a legal claim, for example where there are ongoing court proceedings.

You can also object to us using your information for marketing purposes.

We don’t carry out any profiling of people who are third parties authorised by a customer to manage their debt(s).

This right only applies to the information that we process on the basis that it is in our legitimate interests.  

We don’t use your information for direct marketing

Not to be subject to an automated decision

You can ask us to review any automated decision which has a legal or significant effect for you. You can provide us with your point of view and any additional information that you think we need and ask for a human to reconsider our decision.

You can ask us to reconsider any automated decision we have made

 
We will always do our best to respond to your request within one month of receiving it and any additional information we need to confirm your identity and understand your request.
However, sometimes we may need some more time to deal with your request, particularly if it is complicated.  Where this happens, we will write to you within one month and let you know why we need some more time and when we will provide you with our response.
If we are unable to carry out your request, we will send you a response explaining why. 
If you would like to exercise any of your rights, please contact our Data Protection Officer by:
  • by email at dpo@lowellgroup.co.uk or
  • letter at Data Protection Officer, Lowell Financial Ltd, PO Box 13079, Harlow, CM20 9TE.
Our Data Protection Officer deals with data protection for all our UK companies, so whichever Lowell company your question, query or request relates to, please contact our Data Protection Officer using these contact details.

What if you have a complaint?

If you have any questions, concerns or complaints about the way any of the UK Lowell companies process your personal information, our Data Protection Officer will do their very best to help you.  You can contact our Data Protection Officer by:
  • email at dpo@lowellgroup.co.uk or
  • letter at Data Protection Officer, Lowell Financial Ltd, PO Box 13079, Harlow, CM20 9TE.
Our Data Protection Officer deals with data protection for all our UK companies, so whichever Lowell company your question, concern or complaint relates to, please contact our Data Protection Officer using these contact details.
If you are not happy with the way we have handled your complaint or are still concerned about our handing of your personal information, you have a right to take your complaint to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF and www.ico.org.uk.

Who are the Lowell group?

The Lowell group is made up of the following companies incorporated in the UK.

Lowell Portfolio I Ltd    

Company number 04857418

Lowell Financial Ltd

Company number 04558936

Lowell Legal Limited  

Company number 08647091

 Overdales Legal Limited

Company number 07407310

Lowell UK Shared Services Limited 

Company number 08336897 

Lowell Group Shared Services Limited 

Company number 08647094

Lowell Receivables Financing 1 Limited 

Company number 11344999

Lowell Receivables Financing 2 Limited 

Company number 13403235 

Lowell Receivables Financing 3 Limited 

Company number 13849615 

Lowell Portfolio III Limited

Company number 08096778

Lowell Portfolio IV Limited

Company number 08654105

Changes to this notice

This privacy notice was updated in May 2024.
We will regularly review this notice and keep it updated to make sure that the information we provide you with is accurate and up to date.