Data Protection Policy and Operating Procedure

Next review date: 19/6/28

Purpose

UniLink Finance Ltd (“UniLink”) is committed to protecting the privacy, confidentiality and security of personal data. This policy sets out how UniLink collects, processes, stores and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable data protection legislation.

This policy aims to:

Ensure compliance with data protection legislation and best practice.
Protect the rights and freedoms of individuals whose personal data we process.
Promote transparency in how personal information is collected and used.
Reduce the risk of data breaches, loss, misuse or unauthorised access to information.
Ensure employees understand their responsibilities when handling personal data.

Scope

This policy applies to:

All directors, employees and temporary workers.
Contractors, consultants, agency staff and volunteers.
Third parties acting on behalf of UniLink where applicable.

The policy applies to all personal data processed by UniLink in any format, including electronic records, emails, databases, paper records and archived information.

Personal data may include, but is not limited to:

Names
Postal addresses
Email addresses
Telephone numbers
Financial information
Identification documents
Online identifiers
Location data
Employment information
Any information relating to an identified or identifiable individual

Data Protection Principles

UniLink will ensure that personal data is:

Processed lawfully, fairly and transparently.
Collected for specified, explicit and legitimate purposes.
Adequate, relevant and limited to what is necessary.
Accurate and kept up to date.
Retained only for as long as necessary.
Processed securely and protected against unauthorised or unlawful access, loss, destruction or damage.
Managed in a way that demonstrates accountability and compliance with data protection legislation.

Lawful Basis for Processing

UniLink will only process personal data where a lawful basis exists under UK GDPR.

Depending on the circumstances, processing may be necessary for:

Performance of a contract.
Compliance with a legal obligation.
Legitimate business interests.
Protection of vital interests.
Performance of a task carried out in the public interest.
Consent where required by law.

Consent will be obtained where appropriate and individuals will be able to withdraw consent where processing relies upon it.

Collection and Use of Personal Data

As part of our business activities, UniLink may collect and process personal data relating to:

Customers and prospective customers.
Directors, partners and guarantors involved in finance applications.
Employees and job applicants.
Suppliers and business contacts.
Professional advisers and service providers.

Personal data may be used for purposes including:

Assessing finance applications.
Performing creditworthiness and affordability checks.
Fraud prevention and anti-money laundering checks.
Managing customer relationships.
Regulatory compliance.
Contract administration.
Internal management, reporting and business improvement activities.

Where appropriate, individuals will be informed of how their information is used through privacy notices and consent mechanisms.

Credit Reference and Fraud Prevention Agencies

Where necessary and lawful, UniLink may share personal information with credit reference agencies, fraud prevention agencies, lenders and funding partners for the purposes of:

Credit assessment.
Identity verification.
Fraud prevention.
Debt recovery.
Regulatory compliance.

Individuals will be informed of such processing through our privacy notices and application documentation.

Individual Rights

Individuals whose data we process have the right to:

Access their personal data.
Request correction of inaccurate data.
Request erasure of personal data in certain circumstances.
Request restriction of processing.
Object to processing where applicable.
Request transfer of personal data to another organisation (data portability).
Withdraw consent where processing is based on consent.
Not be subject solely to automated decision-making where applicable.
Lodge a complaint with the Information Commissioner’s Office (ICO).

Requests relating to individual rights will be handled promptly and in accordance with statutory timescales.

Data Security

UniLink is committed to maintaining appropriate technical and organisational measures to protect personal data.

Security measures include:

Password-protected systems and devices.
Multi-factor authentication where available.
Secure Microsoft 365 cloud services.
Controlled access to systems and information.
Anti-virus and cyber security protection.
Secure disposal of confidential information.
Staff awareness and training.

Employees must:

Lock computers when unattended.
Use strong passwords and keep them confidential.
Only access information required for their role.
Avoid storing unnecessary copies of personal data.
Report suspected security incidents immediately.
Follow all information security procedures.

International Data Transfers

Personal data will not be transferred outside the UK unless:

Appropriate safeguards are in place.
The transfer complies with UK GDPR requirements.
Adequate levels of protection for personal data can be demonstrated.

Any international transfers undertaken through approved cloud service providers will be managed in accordance with applicable legal requirements.

Data Accuracy

UniLink will take reasonable steps to ensure personal data remains accurate and up to date.

Employees must:

Verify information when interacting with customers.
Correct inaccuracies when identified.
Ensure duplicate records are minimised.
Remove or update outdated information where appropriate.

Data Retention and Disposal

Personal data will only be retained for as long as necessary to fulfil legal, regulatory, contractual and business requirements.

At the end of the applicable retention period, records will be securely deleted, destroyed or anonymised.

Paper records will be securely disposed of using confidential waste arrangements and electronic records will be permanently deleted in accordance with internal procedures.

Personal Data Breaches

A personal data breach includes any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All actual or suspected breaches must be reported immediately to management.

UniLink will:

Investigate all reported incidents.
Assess the risk to affected individuals.
Notify the Information Commissioner’s Office (ICO) where required.
Notify affected individuals where legally required.
Implement corrective actions to prevent recurrence.

Where a breach is reportable to the ICO, notification will generally be made within 72 hours of becoming aware of the breach.

Training and Awareness

All employees are responsible for protecting personal data and complying with this policy.

UniLink will provide appropriate data protection and information security training to ensure employees understand:

Their legal responsibilities.
Secure handling of personal data.
Data breach reporting procedures.
Information security best practices.

Responsibilities

The Board has overall responsibility for ensuring compliance with data protection legislation.

Managers are responsible for ensuring that employees understand and comply with this policy.

All employees are responsible for:

Following data protection procedures.
Protecting personal information.
Reporting concerns or breaches promptly.
Participating in relevant training.

Failure to comply with this policy may result in disciplinary action and, where appropriate, legal or regulatory consequences.

Policy Review

This policy will be reviewed annually, or sooner if required by changes in legislation, regulatory guidance, technology or business operations.

The latest version of this policy will be made available to all employees and relevant stakeholders.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.