DLL collects and processes personal data relating to individuals, including but not limited to our customers and suppliers. The privacy and the protection of personal data is important to DLL. This Privacy Statement outlines in a transparent manner how we collect and use personal data and meet our data protection obligations.
For questions related to this Privacy Statement or the processing of personal data in general, please contact us via: firstname.lastname@example.org.
This Privacy Statement was last updated on 12 January 2021.
To view the Cargobull Finance Privacy Statement, click here.
This Privacy Statement is applicable to the processing of personal data of:
- Customers, Partners and Suppliers of DLL; and/or
- Individuals that visit DLL offices or use our services on dllgroup.com or other applicable websites.
Our “Partners” are equipment manufacturers and their distribution partners (from authorised distributors, independent dealers to brokers and resellers).
When we mention “Suppliers” we mean. anyone who has at any time agreed, or offered to, provide any product or service to DLL.
Within the different categories as identified above, we may apply different forms of processing. If such differentiation is applicable and deemed relevant by us, we will set that out in this Privacy Statement.
For the avoidance of doubt, this Privacy Statement does not apply to our employees (including former employees) and job applicants. There are separate Privacy Statements in place for these individuals.
As a Customer or Supplier, if you transfer any personal data concerning your employees, representatives or ultimate beneficial owners (UBOs) to us, we also expect your employees, representatives or UBOs to be informed about this. You can give this Privacy Statement to them so that they can learn how and why we process their personal data.
DLL is a finance partner for equipment and technology assets. We deliver sustainable and effective solutions to move assets to market, throughout the entire asset life cycle: commercial finance, retail finance and used equipment finance. We work closely with our Partners to provide financing solutions to end-users of equipment and technology assets.
De Lage Landen Leasing Limited (‘DLL’, ‘we’ or ‘us’) processes your personal data in accordance with applicable privacy and data protection laws and as stipulated in this Privacy Statement. With this Privacy Statement we want to inform you in a transparent manner on the most important standard activities and legal bases on which we process your personal data.
De Lage Landen Leasing Limited is a private limited liability company established under the laws of England and Wales.
Address: Building 7 Croxley Park, Hatters Lane, Watford, Herts, WD18 8YN.
Postal address: Building 7 Croxley Park, Hatters Lane, Watford, Herts, WD18 8YN.
Telephone: 01923 810 016
Companies House registration number: 02380043
VAT number: 621 7849 29
Supervisory Authority: The Financial Conduct Authority
We are a wholly owned subsidiary of De Lage Landen International B.V., which is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (‘Rabobank’ and together with its subsidiaries, the ‘Rabobank Group’ or ‘Group’). Data may be shared within Rabobank Group to the extent that is permitted by law. When sharing data within Rabobank Group, we comply with the rules that we have agreed within Rabobank Group, the Rabobank Privacy Code, which serve as the Binding Corporate Rules of the Group.
Questions about this Privacy Statement or the processing of personal data in general can be directed to our local Compliance Officer at email@example.com.
A DLL Group Data Protection Officer (“DLL Group DPO”) has been appointed for De Lage Landen International B.V. and its subsidiaries. The DLL Group DPO can be contacted by email via firstname.lastname@example.org.
‘Personal data’ means any information directly or indirectly relating to an individual or any information that can be used to identify an individual.
Personal data is ‘processed’ when any activity or set of activities is performed on the personal data. This includes the collection, storage, access, use, transfer, disclosure and removal of personal data.
We process the following personal data:
- Contact and identification data. Name, address, telephone number, (business) e-mail address, copy of ID, date of birth, business VAT number (if applicable) and copy of proof of residency;
- Contract/Agreement data. Information about your financial situation, information related to our products or services, information related to obtaining financial services, bank account information, your risk profile;
- Data we require to ensure your and our security, to prevent and investigate fraud, to prevent money laundering and financing of terrorism. The personal data that are processed in the external and internal referral registers of Rabobank, any personal data processed in relation to credit reference agencies and in national and international sanctions lists;
- Recorded calls, (recordings of video chat and online chat sessions), video surveillance, documentation of e-mails. Conversations we have with you, and you have with us, by telephone or in online chat sessions. E-mails you send to us and which we receive from you. Camera images that we record in our offices;
- Data related to the use of our website, portals or (mobile) applications. Cookies may collect your IP address, data about the applications and devices you use to visit our website, use of our portals or mobile applications in the context of using our services.
Special categories of personal data are considered to be more sensitive. This can be confidential information regarding, for example, a person’s health condition, criminal record or data relating to ethnic or racial origin.
We will only process special categories of personal data where necessary for the applicable purposes. Please see below the special categories of personal data and the purpose related to it.
Special category of personal data Purpose Personal data concerning criminal convictions We may process data related to your criminal record or criminal convictions in the context of anti-money laundering, fraud prevention and regulatory reporting from open sources (e.g. media searches). Biometric data If you have registered your fingerprint in any electronic application operated by us (‘App’) to quickly access the App, we process your biometric data. Race or ethnic background In the context of preventing terrorism and for tax obligations, we are required to record information about your country of birth.
We also might have/take/store your photograph or film you on our CCTV (closed-circuit television).
However, we do not register your race or ethnic background as a category and we do not use race or ethnic background to make decisions.
We collect your personal data in the following ways:
- if you apply for a financial or Partner solution, either as an end-user/client or as a Partner;
- if you offer a product or service to us;
- If you sell or resell a product or service of ours (for example, such as brokers);
- when you visit our ‘DLL Group’ website (for further details, see cookie statement;
- by receiving it from third parties (e.g., personal data we receive from our Partners, Companies House, credit reference agencies, HM Revenue and Customs and personal data that we receive from companies to which you have given consent to share your data with us);
- if you enter your personal data on our website with the request to contact you;
- via email or telephone (if you contact us);
- when you visit a DLL office via our visitor-registration and if in operation via closed circuit television (‘CCTV);
- from affiliates within the Rabobank Group (see paragraph 10).
By law, every personal data processing activity must have a legal basis. This is a justifiable reason to process your personal data.
Prior to the processing of personal data, we will define the purpose(s) of the processing and will not process personal data in a manner which is not compatible with those purposes.
We process your personal data for the following purposes:
To enter into a Customer or Supplier relationship and contract with you.
Prior to entering into a Customer or Supplier relationship with you, we need to process your personal data. For example, we need to do the following examinations in order to assess whether we can accept you as a Customer or Supplier:
- Integrity check: When entering into a Customer relationship with you, we consult available external and internal referral registers of Rabobank, incidents registers and warning systems and national and international sanctions lists.
- Verify identity: When entering into a Customer relationship with you, as a financial institution, we confirm your identity. We can do this by making a copy of your identity document, which we will only use for identification and verification purposes.
- Know Your Customer: We believe it is important and necessary that we have good knowledge of our Customers.
For checking your integrity and identity, we may also rely on checks performed by other financial institutions.
- Credit check: We evaluate whether we can offer our services to you before entering into a Customer relationship.
As part of the evaluation we assess your credentials from a risk perspective and validate whether you are able to fulfil the payment obligations under the contract. This method is called credit scoring, which is based on automated decision-making. More details, including the logic and legal basis for automated credit scoring, are described in Paragraph 8.
We process your data for these purposes because we are under a legal obligation to do so and/or because it is necessary to enter into a contract with you.
To fulfil your contract.
Once we have entered into a contract with you, we process your personal data to fulfil the contract as set out below:
- Account management and contract management: We process your personal data for the purpose of establishing and maintaining our business relationship with you. We also may contact you to seek solutions if arrears should emerge or to inform you about the remaining term or outstanding obligations.
- Services: To provide certain services that are part of the agreement involving third parties, for example, where we perform ‘bill and collect’ services for our Partners.
- Use of (mobile) applications: We allow you to use our online services. If you use our (mobile) applications and/or portals, we collect your personal data for identity and access management purposes.
- Complaint handling: We may process your personal data to enable us to handle any complaint or claim that you might have.
We process your personal data for these purposes because this is necessary in order to perform the contract with you.
To comply with legal obligations.
- Observing laws and regulations and providing data to governments, authorities and regulators: We are obliged, based on (international) laws and regulations, to collect, analyse and sometimes transfer your personal data to relevant governments or (supervisory) authorities. See also paragraph 10.
We must observe laws and regulations to be able to offer financial services to you.
In addition, we must observe laws and regulations to prevent fraud and criminality, such as the law for preventing money laundering and financing terrorism, which includes that we must determine the ultimate beneficial owner (‘UBO’) of the company with whom we enter into an agreement.
Where tax authorities, courts or other appropriately authorised governmental authorities request your personal data, we are legally obliged to cooperate with the investigation and for that purpose disclose your personal data.
- Risk models: Based on European regulations we are legally obliged to utilise risk models, which can include your personal data. This allows us to determine our risks as well as the extent of the financial buffer we must hold, when providing financial services to you. These risk models calculate the chances of you getting in arrears. These enable us, to prevent possible payment difficulties and/or handle these faster.
We process your data because we are under a legal obligation to do so, or because we would otherwise not be permitted by law to perform an agreement with you so that we can comply with a statutory or other legal obligation. In case a law or regulation does not specifically set out that we need to process personal data to meet a legal obligation, but we do require such processing in order to meet that legal obligation we have a legitimate interest to apply such processing.
To ensure the security and integrity of you, us, and the financial sector.
As a financial institution, we process your personal data securely and prevent fraud, money laundering and the financing of terrorism.
- Incident registers and warning systems: If you wish to become our Customer or are already our Customer, we will consult internal (Group) incident registers and warning systems. Also, public authorities provide us with names of individuals, with whom financial institutions must not do business, or to whom the financial sector must pay extra attention. We must enter these names into our warning systems. If we consult incident registers and/or warning systems, we may enter your personal data in these registers/systems. In that case, we will notify you unless we are not allowed to do so, for example because the police ask us not to notify you in the interests of their investigation.
- Continuous integrity check and Know Your Customer: When you are our Customer, as a financial institution, we continue to consult external and internal referral registers of Rabobank, incidents registers and warning systems and national and international sanctions lists. We also perform Know Your Customer on an ongoing basis.
- Publicly accessible sources: We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud, anti-money laundering and prevention of terrorist financing.
- Security of our offices: we will process your personal data to secure and manage physical access to our premises. We will for instance enter your personal information in our visitor registration systems when you visit our premises. In addition, we may also collect personal data through camera surveillance for security reasons.
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of the performance of a contact or in the legitimate interest of DLL, the financial sector or our Customers and employees. Such legitimate interest being the protection of the integrity and security of each of the aforementioned parties.
To help develop and improve products and services.
We develop and improve products and services on an ongoing basis. We, our Customers or other parties benefit from such activities.
- Improving our website: We may process your personal data when analysing your visit to our website with the aim of improving our website, portals or (mobile) apps. We use functional cookies and comparable technology for this. Where needed, we will obtain your consent (e.g. for marketing and analytical cookies). See our Cookie Statement for more information.
- Improving quality of our services: We make and may store recordings of telephone conversations, e-mail messages and online (video) chat sessions. We do this to improve the quality of our services, for example by assessing, coaching and training our employees.
- Research to improve our products and services: We may carry out research to improve our products and services, by asking you for example to voluntarily give your reaction or to review a product or service. Such research is either managed internally or we engage a third-party who will solely process your personal data on our instructions and for this purpose only.
- Creating Customer profiles and interest profiles: Analysing personal data allows us to see how you use our products and services and to categorise you into Customer groups. This enables us to create Customer profiles and interest profiles. When producing these analyses, we also use information obtained from other parties and publicly accessible sources.
We process your data because we have a legitimate interest in acquiring information to improve the products and services that we offer as such enabling us to become a preferred and better qualified supplier for you and other Customers. Where needed we may also ask you for your consent to process your personal data for the purpose of developing and improving our products and services. If you do not give your consent, this will not affect the services we provide to you. You can withdraw your consent at any time (see paragraph 12 below).
For promotional and marketing purposes.
We process your personal data for promotional and marketing purposes. In doing so, we may use personal data we have obtained from you and from other parties (such as Partners). We optimise our business relation with you by informing you about similar products and services, within the boundaries suitable for you. This enables you to make use of our solutions to their maximum potential. We may also ask your consent to process your data for promotional and marketing purposes.
We may use the services of advertisers to advertise to specific target groups, which is done based on established profiles. We never share your personal data with such advertisers.
We process your data because we have a legitimate interest in optimising our business relation and informing you about possibilities to extend such business relation. Where needed we may also ask you for your consent to process your data for promotional and marketing purposes. If you do not give your consent, this will not affect the services we provide to you. You can withdraw your consent at any time (see paragraph 12 below).
To carry out business processes, management reporting and internal management.
To carry out business processes, management reporting and internal management we process your personal data:
- Credit risk: Financial products involve credit risk. We have to determine the level of that risk, so that we can calculate the financial buffer we need to maintain. In connection with this, we process personal data related to your financial obligations towards us.
- Transfer of receivables/securitisation: In the event that we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable privacy and data protection laws and regulations.
- Internal audits and studies: Where needed, we may use your personal data to perform internal audits and investigations, for example in order to examine how well new rules have been introduced or to identify risks.
- Carry out our business processes: We use your personal data to carry out, analyse and improve our business processes so that we can help you more effectively. Where possible, we will anonymise or pseudonymise your personal data first.
We have a legitimate interest to categorise and establish risks that are inherent to our business, and accordingly take measures to minimise or transfer (part of) these risks and improve our business processes for the benefit of you and us.
For archiving purposes, scientific or historic research purposes or statistical purposes.
We may process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymise or pseudonymise your personal data first.
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the data on the basis of the legitimate interest of DLL, the financial sector or our clients and employees.
Where we indicated we have a legitimate interest for processing in this paragraph, we take into regard that our legitimate interest does not override your fundamental rights and freedoms.
We will only make a decision based solely on automated processing including profiling which produces legal effects concerning you or significantly affects you, in case it is allowed by law.
Our credit-scoring is based on automated decision-making.
Logic of automated credit-scoring
A pre-defined minimum-score is required to have you accepted as a Customer. The higher the score, the smaller the risk you pose to creditors, including DLL. In addition, you may be disqualified by showing up on watch-lists published by the financial sector or the Rabobank Group.
The credit-score is calculated based upon several components:
Below, we list the most important components that influence your credit score:
- Your financial standing: Based upon personal data provided by you in the process of credit-scoring, we consult external credit rating agencies to acquire relevant financial information (credit-rating, financial statements, payment history). If you already have or had a relation with us in the past, we combine the aforementioned (external) financial information with internal payment / conduct history related to you;
- The applicable conditions and characteristics of the DLL Partner Program under which you apply for a financial solution;
- Activity codes for the sectors in which you operate and the type of asset(s) you want to finance with us.
Significance and envisaged consequences of automated credit-scoring
In case the minimum-score is not achieved, the automated credit-scoring results in a decline. In that case, DLL will refrain from entering into an agreement with you since we deem the risks involved for DLL too high.
Specific rights you have relating to automated decision making
Your credit score is calculated based on automated decision making, however, this will always be balanced against your right to request a manual review of the decision. You have the right not to be subject to a decision based solely on automated credit-scoring. Based upon the notification that automated credit scoring will be applied to you, you can object to such automated credit scoring. In that case a manual human intervention will be part of the credit scoring applied by us.
When automated credit scoring is finalised and you want to express your point of view and contest the (automated) decision, you also have the right to invoke human intervention. In that case a person will review and reassess the automatically generated decision and conclude the final decision on your request.
Legal basis of credit scoringThere are different applicable legal grounds that apply to different credit checks that DLL may rely on, which will vary case-by-case and those legal grounds are set out below:
- the decision is made by DLL for purposes of (a) entering into, or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by DLL was made by you; or
- In certain cases where the legal ground mentioned under a) above does not apply to us, we may base our processing of your personal data on a legal obligation to do so. Such ground will be depending on the existence of applicable law that requires us to assess your ability to fulfill your payment-obligations under the contract with us before entering into such a contract.
- In certain cases where the legal grounds mentioned in a) and b) above are not applicable, we, or our Partners, may then ask for your consent before we, or our Partners, perform a credit check or credit score.
Only personnel who require access for the purposes as stated in paragraphs 7 and 8 will process your personal data. All our personnel are bound by a duty of confidentiality.
DLL will process your personal data for the purposes for which these were originally collected. Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose corresponds to the original purpose.
We are committed to keep your personal data secure. To prevent unauthorised access or disclosure, we have taken technical and organisational measures to safeguard and secure your personal data. These security measures are aimed at preventing your personal data from being used illegitimately or fraudulently. In particular, we use security measures to ensure the confidentiality, integrity, and availability of your data as well as the resilience of the systems and services that process them and the ability to restore data in the event of a data breach. Where possible, we aim to secure your personal data using pseudonymisation or encryption measures. In addition, we test, verify and regularly evaluate the effectiveness of our technical and organisational measures in order to ensure continuous improvement in the security of processing personal data.
a. Within the Group
We are a wholly owned subsidiary of De Lage Landen International B.V., who is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (‘Rabobank’ and together with its subsidiaries, the ‘Group’).
Your personal data may be shared within the Group for legitimate purposes, when those entities comply with the rules of Rabobank described in the Rabobank Privacy Code. For example, because your application for a financial product needs involvement of Rabobank when it exceeds certain hurdles.
This Rabobank Privacy Code describes the requirements that all Group entities worldwide must meet and guarantee an appropriate level of protection of personal data and serve as the Binding Corporate Rules of the Group.
b. Outside the Group
Your personal data may also be transferred to third parties outside the Group if we are legally obliged to do so, because we need to identify you before we enter into an agreement with you or because we use a third party for meeting the obligations we entered into with you. We may also pass on your personal data to tax and supervisory authorities or (national) data protection authorities.
If you do not pay on time, we may transfer your personal data to third parties that we need in the context of our services (for example, bailiffs and lawyers).
We may pass on your personal data to Partners to work together on Customer opportunities and/or remarketing strategies. For example, we can share the start and end date of the contract or relevant developments that happen during the duration of the contract with our Partners.
We may transfer our agreement with you to another financial institution. Once the agreements have been transferred, the other party will also process your personal data. We agree with the other party that it must comply with privacy and data protection laws and regulations.
We may share personal data with third parties (such as our marketing agencies or suppliers) that process personal data on our behalf for commercial/marketing purposes.
Sometimes we engage Partners and third parties for processing personal data on our instructions where it is necessary in connection with the purpose for which we collected your personal data. For example, when a Partner supports us in providing our services to you or a company that stores data for us.
We could also disclose your personal data to any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent necessary for the establishment, exercise or defense of legal rights in accordance with applicable law. Besides that, we could also disclose your personal data to any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law.
The third parties must first be deemed sufficiently reliable from a privacy and data protection perspective. We only engage third parties if this fits the purposes for which we process your personal data. In addition, these third parties can only be involved if they enter into proper contracts with us, have implemented appropriate security measures and guarantee that your personal data will remain confidential. If we transfer your personal data to third parties outside the European Union (‘Europe’), we take extra measures to protect your personal data. In some countries outside the European Union, the rules for privacy and protecting your personal data are different from those that apply within Europe. If we transfer your personal data to third parties outside Europe and the European Commission determined that the country in which this third party is located does not offer adequate protection in the area of processing personal data, we will only transfer your personal data if other approved safeguards are in place, such as the Standard Contractual Clauses (‘EU Model Clauses’) approved by the European Commission.
If we transfer your personal data to third parties located in a country which is deemed not to provide an adequate level of data protection, we take extra measures to protect your personal data.
We do not store your personal data longer than we need to for the purposes for which we have collected it. This will be, in most cases, 7 years after the end of our agreement or business relationship with you, but it may be shorter to comply with relevant legislation.
We have implemented appropriate technical and organisational measures to ensure that only people that have a right to access your information can access it. For example, our marketing people have access for a shorter period compared to our people that require access for tax purposes.
We will delete personal data at an earlier time if you request us to delete your personal data, unless another law prevails. In certain cases, we may use different retention periods. For example, if a supervisory authority requires us to store certain personal data longer, if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving, legal proceedings, or for historical, scientific research or statistical purposes.
a. Right to access and rectification
You can ask us to access your personal data processed by us. Should you believe that your personal data is incorrect or incomplete, then you can ask us to rectify or supplement your personal data.
b. Right to erasure (right to be forgotten)
You can ask us to erase your personal data as processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will execute your request.
c. Right to restrict personal data
You can ask us to limit the personal data processed by us. We may refuse a restriction request if we have a lawful reason to continue the processing of the personal data (e.g. the exercise of a contract, a legal archiving duty, or the establishment, exercise or defense of legal claims).
d. Right to data portability
You have the right to ask us to receive the personal data that you provided to us in connection with a contract with us or which was provided to us with your consent, in a structured and machine readable format or to transfer your personal data to a third party. Should you ask us to transfer personal data directly to a third party, then this can only be done if it is technically possible.
e. Right to object
You have the right to object if we process your personal data, for example if we record telephone conversations. If you object to processing, we will determine whether your personal data can indeed no longer be used for those purposes. We can then decide to cease the processing of your personal data. We will inform you about our decisions and motivations. You have also the right to request that we stop using your personal data for direct marketing purposes. We will then take steps to ensure you are no longer contacted for direct marketing purposes.
f. Right to withdraw consent
If you have given your consent to us for specific processing of your personal data, you can at any time withdraw your consent. From that moment, we are no longer allowed to process your personal data.
For questions related to this Privacy Statement, please contact our local privacy officer or local compliance officer via email@example.com. If you would like to exercise any of your rights, please do so by completing this form:
Submit a request or complaint
We will respond within one month after we have received your request. In specific cases, we are allowed to extend this period with another 2 months. In order to process your request, we will request you to provide sufficient information to identify you. We may also request you to further specify your request. We will do our best to handle your request, question or complaint in a timely and appropriate fashion. If you feel we did not handle your request, question or complaint timely or appropriately, you may also lodge a complaint using the same button in this section.
If you still feel we did not handle your request, question or complaint timely or appropriately, you can also contact your local Data Protection Authority. You can find the contact details of your local Data Protection Authority below:
The Information Commissioner’s Office (“ICO”)
Information Commissioner’s Office
This Privacy Statement will be updated from time to time. For example, in case of additional legal requirements or if we process personal data for new purposes. Please note that you can find the latest version of this Privacy Statement on our website www.dllgroup.com.