Effective 28th August 2019.
For ease of reference, this policy is divided into sections that are specifically applicable to Members and Parties associated with Members of The Credit Protection Association Plc (Section 2), Supporters of PayonTime (Section 3) and Visitors (Section 4). Sections 1 and 5 are applicable to all.
Section 1 – Introduction
About Us Established in 1914, The Credit Protection Association plc provides Business Owners and Credit Managers with a complete solution for all their overdue account recovery, credit management and cash flow control needs (“CPA”, “we”, “us”, “our”).
Our aim is to be recognised for ethical, effective, efficient and economic debt recovery for both large and small organisations throughout the UK.
Key Terms “Member” – any person or entity registered with us to use the services that we provide. “Parties associated with Members” – any person or entity that may be indebted to a Member, for example a Customer. “Supporter” – any entity or person registered as a Supporter and/or created a User account at www.payontime.co.uk. “Visitor” – any person, regardless of whether they are a Member, a Party associated with a Member or Supporter, who visits any of our websites. “Websites” – all websites we own and operate, for example https://cpa.co.uk. “Related Entities” – any entity that is wholly or partially owned by CPA or by the owners of CPA. “Personal Information” – any information that identifies or potentially identifies a Member, a Party associated with a Member, Supporter or Visitor. Examples of Personal Information include but are not limited to, first and last name, birthdate, gender, email address and occupation. “you / your” – depending on the context means either a Member, Supporter or Visitor.
Section 2 – Privacy for Members and Parties associated with Members
This section applies to the Personal Information we collect from Members or potential Members of CPA in providing our overdue account recovery and credit management services.
For the purposes of data protection, we are considered to be a data controller, although we primarily process on instruction from our Members.
Personal Information We Collect The Personal Information we may collect or receive broadly falls into two categories:
In the course of becoming a Member: • Your name and job title or those of other persons within your organisation. • Contact information including email address and phone number. • Demographic information such as postcode.
In the course of using our services: • Name, address, contact details and value of overdue accounts owed to you. Specifically this information may include details for non-incorporated entities. • Product usage data whenever you interact with our online portal, which may include dates and times of access, reports and services used.
We only collect the minimum amount of information needed to communicate with you and parties associated with you in order to provide a quality business service.
Use of Personal Information We require this information to understand your needs and provide you with a better service and in particular for the following reasons:
• Internal record keeping and billing. • Communications with parties associated with you regarding overdue accounts as instructed by you. • Communications with you in providing our service, for example Monitoring Alerts. • Communications with legal advisors/representatives on your behalf in providing our service, for example when instructing Litigation. • Communications about your Membership or in providing Membership support. • Providing secure access to our Members’ only website. • To ensure compliance with our Membership Terms and Conditions, applicable law and to protect our rights, those of our Members and third parties. • Improving our products and services. • We may periodically send promotional material about new products, special offers or other information which we think you may find interesting using the email address which you have provided. • We may periodically send relevant industry news in the form of Newsletters using the email address which you have provided. • From time to time, we may contact you for market research purposes by email, phone, fax or mail.
Sharing of Personal Information Third Parties – we may share Personal Information with other data processors as part of our overdue account recovery process if a Member chooses to pursue matters further through legal action. CPA use third party legal firms that have all been vetted for GDPR compliance.
Related Entities – CPA may share relevant information with Related Entities to carry out their respective services or to improve their services to you
Data Protection Rights We are committed to the rights enshrined in the General Data Protection Regulations namely:
• Right to access: the right to request copies of your personal information from us. • Right to correct: the right to have your personal information rectified if it is inaccurate or incomplete. • Right to erase or restrict our use of Personal Information: insofar as it does not conflict with our legal basis for processing Personal Information, the right to request that we remove your personal information from our systems or restrict or limit our use of your information. • Right to data portability: the right to request that we move, copy or transfer your personal information. • Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or where we use your personal information to carry out profiling to inform our market research and customer demographics.
Section 3 – Privacy for Supporters
About us Payontime.co.uk is a UK website dedicated to providing a resource of information to support businesses get paid on time and to provide a community for businesses that support prompt payment to be able to engage with each other. The Data Controller for this website is CPA and since August 2008, the site is no longer run, funded or endorsed by the Government, therefore, no details will be forwarded to any Government Department or Agency.
Personal Information We Collect The Personal Information we may collect depends on whether you register as a site User or Payontime Supporter. Supporter accounts are typically created for registered or incorporated entities though there may be accounts for sole traders or non-incorporated entities which in some instances may be considered as Personal Information.
User Registration requires your: • Name. • Email address.
Additionally, Payontime Supporter Registration requires your:
Mandatory: Company name Full business address including postcode Number of Employees Business Turnover Days to pay suppliers Business Sector/Industry
Optional: Job Title Phone Number Website URL Facebook Account URL Twitter Account URL LinkedIn URL Google+ URL
Information collected in the course of using the website • Forum – any information posted in an article or comment in the Forum may be read, collected, and used by anyone. If Personal Information appears on the Forum and you want it removed, contact us as shown under Notifications and Contacts in Section 5. If we are unable to remove the information, we will tell you why. • Logging data when you are logged in and interacting with the website, which may include dates and times of access, reports and services used.
We only collect the minimum amount of information needed to communicate with you and to properly display your support (in accordance with your preferences) for getting paid on time.
Use of the Personal Information you provide The information collected through the website may be used for a number of reasons including:
• To provide, manage, maintain and secure the site. • To send information for marketing purposes in accordance with your contact preferences. • To respond to online enquiries and requests. • To provide information on services that you have requested from us. • To compile aggregated statistics about site usage. • To carry out research and development to improve our products and services.
Any information you provide will be held securely and in accordance with the General Data Protection Regulations May 2016 and the Data Protection Bill May 2018.
• Right to access: the right to request copies of your personal information from us; • Right to correct: the right to have your personal information rectified if it is inaccurate or incomplete; • Right to erase: the right to request that we delete or remove your personal information from our systems; • Right to restrict our use of your information: the right to ‘block’ us from using your personal information or limit the way in which we can use it; • Right to data portability: the right to request that we move, copy or transfer your personal information; • Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or where we use your personal information to carry out profiling to inform our market research and customer demographics.
We are also committed to the principles of “data minimisation”. If your account has not been used within a period of 12 months, it will be deleted. We may send you a notice of pending deletion three weeks prior to give you the opportunity to take appropriate action if your account is still required.
Facebook Pixel and Web Beacons: The Facebook pixel is an analytics tools that helps us to measure the effectiveness of our advertising by understanding the actions taken by visitors on our website. Pixel data is used to: • Make sure our ads are being shown to the right people. • Build advertising audiences. • Unlock other Facebook advertising tools. • This data aggregated and held by Facebook. No Personal Information is held on a CPA site. A web beacon is a means of tracking certain behaviour when sending promotional emails, such as whether an email was delivered, opened or links therein clicked. This information is used to measure the performance of our promotions.
Section 4 – Privacy for Visitors
This section sets out how we use and protect any information that you give us when you use our websites, request one of our free guides or subscribe to our newsletter.
Personal Information We Collect We may collect the following information: • Name and job title • Contact information including email address • Demographic information such as postcode, preferences, and interests • Other information relevant to customer surveys and/or offers
Use of the Personal Information We require this information to understand your needs and provide you with a better service, and in particular for the following reasons: • Internal record keeping. • We may use the information to improve our products and services. • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided. • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.
Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
1) Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. No personal data collected from our clients would be shared with our digital marketing agents. We only use marketing data obtained from GDPR compliant marketing data providers. Our appointed data processors include:
Section 5 – General Information
Legal Basis for Processing Personal Information • Legitimate Interest – processing of personal data in the course of carrying out our duties as debt collection agents. • Consent – you have granted consent by completing a form on our website to subscribe to or request a download or other information about our services. • Agreement – processing is necessary for the execution of an agreement to which you are a party. This applies when the processing is necessary for the execution of a contract, for example an employment contract or a membership/sales contract. • Legal Obligation – data processing is necessary to fulfil a legal obligation.
Security and Retention of Data We are committed to ensuring that your information is secure by taking appropriate and reasonable technical and organisational measures to protect Personal Information from loss, misuse, unauthorised access, disclosure, alteration, destruction. In this regard we will not hold your personal information for any longer than is reasonable. Specifically:
• For non-member enquiries we will keep your information on our system until you request for it to be removed. If you do not respond to our communications within a 12-month period we will assume that you no longer require our services and we will delete you from our database. • We retain Personal Information where we have an ongoing legitimate business or legal need to do so. Our retention periods will vary depending on the type of data involved, but, generally, we’ll refer to these criteria in order to determine retention period. For active Members, we will keep the minimal amount of personal information required by us to provide you with a quality service. For inactive Members, we keep the accounting records for a period of seven years in accordance with HMRC guidelines, after which your details will be either anonymised or removed from our systems and all paper records destroyed by an authorised agent.
We will never knowingly share or transfer your information to a third party without having your explicit consent.
Making a data subject access request CPA recognise the right of access provisions under the GDPR which allow you to request a copy of any personal information that we maybe processing which is relevant to you. We have provided a template for you to use which will help us to respond to your request. Whilst use of the template is optional, the same details are still required for us to locate your information effectively.
All applications must be in writing to the Data Privacy Manager at the postal or email address shown below.
There is no fee for this service but please allow one month from the date of receipt for us to reply. If the request is more complex or involves a greater degree of difficulty, we will inform you if extra time is required. Please note we reserve the right to limit requests from the same individual or group so we can adequately service existing claims.
What to provide when making a request: We require proof of identification before any information is released. This can be done by attending our head office in person with an appropriate photo id (e.g. driver licence) and proof of address (e.g. utility bill). If you are unable to attend our office, we will accept copies of these documents by mail or email using the details above.
Download Subject Access Request template
Your Preferences Visitors who have opted into our promotional or marketing emails can opt out of receiving such emails from us at any time by clicking the “unsubscribe” link at the bottom of our marketing messages. Such opt-out requests can also be made in writing as shown in the Notifications and Contact section below.
Notifications and Contact If we suffer a data breach or information is disclosed to an unauthorised organisation or individual we will notify you and the relevant authorities within a 72-hour period.
Data Privacy Manager The Credit Protection Association Plc CPA House 350 Kings Street London W6 0RX.
In all correspondence please stipulate the nature your enquiry.