Privacy Notice and Cookies Policy

Introduction

This notice sets out how personal information will be held by Credit Resource Solutions Ltd (CRS).

CRS operates a fully managed debt recovery service, designed for creditor clients across financial services, retail, energy, water, telco and other sectors; providing solutions which support them in managing debt collections, recoveries, debt sale and insolvency in order to optimise the recovery of money owed while improving their customer outcomes and experience. CRS is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct debt-collection. In addition, CRS also purchase debts and collect those debts for their own account and benefit.

CRS is both a “controller” of your personal data, meaning in some situations we make decisions about how and why we process your personal data, and a “processor”, meaning that in other situations we process your data upon the instructions and under the direction of a client business who is a controller of your personal data. As a Controller, CRS is responsible for making sure that where it processes data as a Controller, that processing is in accordance with data protection laws.

This Privacy Notice and Cookies Policy explains:

• Who we are and how to contact us.
• The types of personal data we collect and from where.
• What we do with your personal data and why.
• Who we share your personal data with.
• Where is Personal Data Stored and sent.
• How we safeguard your personal data.
• How and why we collect and use your personal data; and
• The rights and choices you have when it comes to your personal data.

If you have any questions about the topics set out in this Privacy Notice, or want more details about how we may use your personal information, you can contact us using the following e-mail address: mailto:contact@creditresourcesolutions.co.uk

For the purposes of this Privacy Notice, 'Data Protection Law' means the EU General Data Protection Regulation as it forms part of retained EU law in the UK (referred to throughout this Privacy Notice as the UK GDPR), the UK Data Protection Act 2018 and any other applicable national privacy legislation and guidance issued by data protection regulators.

1. Who we are and how to contact us.

Name: Credit Resource Solutions Limited
Address: Second Floor, G Mill, Dean Clough HX3 5AX
Phone Number: 01422 324510

We have a dedicated Data Protection Office who can be contacted at:

Compliance@creditresourcesolutions.co.uk

If you wish to make a request or a complaint please contact us at:

The Compliance Department, Second Floor, G Mill, Dean Clough, Halifax, HX3 5AX

Tel: 01422 324510

Email: Compliance@creditresourcesolutions.co.uk

You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113

2. Personal Data we collect and/or process and from where

Information you may provide to us

You may provide personal data to us directly:

• You may provide information to CRS via telephone, web chat, email or post.
• By visiting our website and completing forms on our website.
• When you submit a complaint about CRS’s services.
• If you contact us by telephone. We may monitor/record calls for training and quality purposes.
• In e-mails and letters.

In addition we will obtain information from other sources as set out below:

Where we act for clients and undertake DEBT RECOVERY SERVICES we act as a Data Processor and collect and process the following information on behalf of those clients:

Category	Type of personal data	Where it's collected from
Debt Account Information	Information relating to a customer arising from the creation of accounts for a loan, products or service or other financial accounts and products (a “Case”). Examples of accounts may include utility bills, telecom bills, Buy now, pay later accounts and others. Name Date of birth (DOB) Address history Telephone number Outstanding debt balance Payment history Information about specific vulnerabilities (which might include information about your health, wellbeing and personal circumstances that might be relevant to the management of a Case – see below where we explain how we process Special Category Data). Employment status and Employer National Insurance Number (In some instances)	Creditor clients and customers as part of the Debt Management Process
Credit Reference Agency	Information we obtain from Credit Reference Agencies to assist in the recoveries management process. Examples may include: Contact Information (e.g telephone number and email address) Current and previous address information Scores and characteristics in relation to your: Credit status: to understand how you have managed your credit payments in the past Affordability: to understand if you can afford the repayments Insolvency: to understand if you have ever been declared bankrupt, have an IVA or CCJ in place See the https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference section 2(d) and 3 for full details.	Equifax Limited Experian Limited TransUnion Limited

Where we undertake DEBT SALE AND RECOVERY activities we act as a Data Controller and collect and process the following information:

Information type	Description	Source
Debt Account	Information relating to a customer arising from the creation of accounts for a loan, products or service or other financial accounts and products (a “Case”). Examples of accounts may include utility bills, telecom bills, Buy now, pay later accounts and others. Name Date of birth (DOB) Address history Outstanding debt balance Payment history Information about specific vulnerabilities (which might include information about your health, wellbeing and personal circumstances that might be relevant to the management of a Case – see below where we explain how we process Special Category Data). Employment status and Employer National Insurance Number (In some instances)	Creditors who sell and lawfully assign their debts to us.
Credit Reference Agency	Information we obtain from Credit Reference Agencies to assist in the recoveries management process. See the https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference for full details.	TransUnion Limited Equifax Limited Experian Limited

Special Category Data

Certain types of data are referred to as ‘special category data’ and we are required to treat this data even more carefully. Indeed, we are prohibited from dealing with (referred to as ‘processing’) that type of data unless one of the six lawful bases for processing data exists and one of the ten exceptions set out in Article 9(2) of the UK GDPR apply. One of those exceptions is that you (the data subject) has given explicit consent to the processing of that personal data for one or more specified purposes.

Article 9(1) of the UK GDPR states that special category data is information that reveals a person’s ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.

In certain limited circumstances CRS will ask you if you consent to the processing of the following special category data about you:

Physical and Mental Health Information linked to an assessment of your vulnerability as a debtor in accordance with CRS’s Vulnerability Management Policy and the requirements of Section 139A of the Financial Services and Markets Act 2000 the FCA guidance found at https://www.fca.org.uk/publication/finalised-guidance/fg21-1.pdf. This processing is necessary to ensure we can assess your ability to make repayments effectively and fairly and any identified vulnerability that might affect that, is identified.

This Processing is strictly limited to the requirements stated above and access to Special Category Data is restricted within our systems. No Special category data is shared with any third party and this data is retained in accordance with our retention policy.

We have analysed our potential use of this special category data and have concluded that we cannot fully and effectively provide our services to you in a way that fully complies with our legal obligations unless we process this special category data in the manner set out above. For that reason, we regard the processing as necessary, targeted and proportionate for this specific purpose. You can however refuse to provide consent and in those circumstances we can only undertake limited processing without using this data but we will be unable to fully assess factors that might otherwise influence decisions relating your vulnerability, your ability to repay a debt and steps we might take that include forbearance and or offering breathing space.

You will be asked to provide your consent in a telephone conversation and if you answer positively, a note will be placed on your file to that effect. Flags will be noted on our systems indicating a category of vulnerability in accordance with our Vulnerable Customer Policy.

You have the right to withdraw your consent for us to process this information at any time. Should you wish to do this you should contact our dedicated Data Protection Office who can be contacted at: Compliance@creditresourcesolutions.co.uk

3. WHAT DO WE DO WITH YOUR PERSONAL DATA AND WHY?

We process your personal data for particular purposes in connection with:

• Debt management and recovery;
• Debt sale and recovery; and
• The management and administration of our business.

We are required by law to always have a ‘lawful basis’ (meaning a reason or justification) for processing your personal data. There are a number of lawful basis set out in data protection law but we consider the following to be most relevant to our processing of your personal data:

• The processing is necessary to comply with a legal obligation (“Legal Obligation”)
• The processing is necessary for the purposes of legitimate interests pursued by us or third party, and these are not overridden by your interests or fundamental rights (“Legitimate Interest”)
• The processing is on the basis of your consent (“Consent”)

The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

Purpose of Processing	Consent	Legal Obligation	Legitimate Interest
Debt Recoveries Management CRS undertakes debt management services for clients and on its own behalf in relation to purchased debts. We require your information in order to carry out debt collection activities on behalf of our clients. This includes: Locating your account on our system. Verifying your identity using the information we hold to ensure this information is accurate and up-to-date. Assessing affordability to ensure payment arrangements are affordable and sustainable. Processing payments made by you or third parties. Dealing with queries and disputes. Taking legal action to enforce any judgement we obtain via our third party solicitor. Compliance with any legal or regulatory obligation applicable to us. We may check your credit file to ensure the information we hold on our systems is accurate and up to date. This is known as a ‘soft footprint’ which does not affect your credit score. CRS uses various data sets (explained in section 2) to understand a consumer's financial position and to support any future repayment plans.			✔ Supporting debtor tracing and debt collection activity.
Debt Sale and Recovery CRS purchases debt files from debt sellers in order to take steps to collect that debt in accordance with CRS’s Debt Recoveries Process. This involves an analysis of that debt and the customers involved as well as the processing of data to support the debt collection process described above. In addition to the activities listed above, where an original creditor legally sells/assigns your debt to CRS, you will receive a Notice of Assignment explaining the transfer of the creditor rights and responsibilities moving forward. CRS will act as a Data Controller in such cases. Where relevant, we will use your data to make regular and accurate updates to the credit bureau to reflect the status of your account			✔ Supporting analysis of debt books and subsequent recovery of the debts.
Data Loading, Matching and Linking Data supplied to CRS is checked for integrity, validity, consistency, quality and age to help make sure it is suitable for its intended us. Data supplied to CRS is matched to existing databases to help make sure we are dealing with the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, CRS uses the personal data individuals have provided to its clients, together with data from other sources to confirm identities, as part of the services CRS provide. As CRS compiles data into its databases, links are created between different pieces of data. For example, individuals who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.			✔ We have a regulatory responsibility to ensure that data is accurate and this helps us more effectively carry out services for clients and ourselves, whilst managing the interests of customers.
Data may be used to help support the development and testing of new products and technologies including AI applications and tools.			✔ This improves the quality of the service we offer to clients and customers.
Data may be used by company managed AI applications to generate correspondence relating to the debt management process and complaints.			✔ This improves the quality of the service we offer to clients and customers and it is in our mutual interests to respond
Using your Contact Information to respond to your enquiries and/or complaints			✔ It is in our mutual interest to respond.
Using any relevant personal data to establish and enforce our legal rights or to comply with a court order, law enforcement requirement (or other legally mandated request) or legal obligation.		✔ This is necessary to ensure we comply with our legal obligations.
Utilising limited Special Category data in order to assess your vulnerability in accordance with CRS’s Vulnerability Management Policy, the requirements of Section 139A of the Financial Services and Markets Act 2000 and the FCA guidance found at https://www.fca.org.uk/publication/finalised-guidance/fg21-1.pdf This processing is necessary to ensure we can assess your ability to make repayments effectively and fairly and any identified vulnerability that might affect that, is identified.	✔ See details in Section 2 above

We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and we may use such data to conduct research and analysis, including to produce statistical research and reports, for example, to help us understand and improve our products and services.

DOES CRS MAKE DECISIONS ABOUT ME OR PROFILE ME?

Scores/Profiling - CRS uses automated scoring and profiling to better understand you as a consumer, your circumstances, and your financial position, including what might impact your ability to pay off debt. Scoring and profiling is based on a multitude of factors including your payment history, location, any barriers to debt repayment (including vulnerability), and reasons why your account is in default.

Debt Collecting Decisions - In relation to scoring and profiling, automated decisions will be made in consultation with our clients regarding how best to engage with you. We also consider the best method of communication with you, what type of contact should be made, and how frequently.

4. WHO DOES CRS SHARE PERSONAL DATA WITH?

This section describes the types of recipient CRS share data with. We operate our own access control processes. For example, before we share data with any another organisation, we check that organisation’s identity and, where applicable, to confirm where it is registered with regulators.

The details of organisations who CRS currently share personal with can are as follows:

• Credit Reference Agencies and other data providers: CRS shares debt account information with Credit References Agencies and other data providers to validate and append additional information related to an individual’s debt account.
• Creditor Clients: CRS works with creditors in order to collect outstanding debts from customers.
• Insolvency Practitioners and Trustees: CRS receives requests from Insolvency Practitioners and Trustees to assist consumers in managing debt. Through your authorization, CRS works with these entities to help consumers manage debt.
• Debt Sellers: CRS purchases debt books from seller organisations and then takes steps to recover those debts.
• Public bodies, law enforcement and regulators
  The police and other law enforcement agencies, as well as public bodies like local and central authorities and CRS’s regulators, can sometimes request us to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
• Third Party Processors: CRS uses other organisations to perform tasks on its behalf (for example, IT service providers and call centre providers). Many of these services are provided by companies within the COEO group of companies, of which CRS is a part.. Examples include:​
  
  Legal Services: CRS works with a single legal services provider in order to undertake legal action in order to facilitate the repayment of debt. All these agencies operate and retain data within the UK.
  
  IT/AI Services: CRS works with its sister company cAI Technologies (UK) Ltd who provides IT and AI support services.
  
  Tracing Companies CRS works with selected tracing companies from time to time in order to locate customers as part of the debt collection process.
  
  Printing and Mailing companies: CRS engages selected third party, specialist printing and mailing contractors in order to facilitate the issuing of printed correspondence as part of the debt collection process.
  
  IT and confidential waste disposal services: CRS engages selected third party, specialist collection and disposal contractors in order to comply with our legal obligations relating to disposal of electrical equipment and secure disposal and deletion of data.

CRS uses other trusted organisations to perform tasks on its behalf for the following services:

Service Category	Country(s) of Operation (See section 6. for more information on CRS overseas processing)
Legal Services - AJJB Law Limited, Second Floor, G Mill, Dean Clough HX3 5AXE-mail: contact@ajjblaw.co.uk	UK
Telephony/IT infrastructure and operations software support: Talkdesk Inc 120 Hawthorne Ave Palo Alto, CA 94301.	UK, EEA, US and Philippines.
IT back office business process software support – cAI Technologies (UK) Ltd	UK
Tracing Companies	UK
Printing and mailing house services	UK
Confidential Waste Services	UK

In addition to the above, CRS has service arrangements in place with auditors, consulting and professional service providers. A full list of all these parties is available on request.

Individuals

People are entitled to obtain copies of the personal data CRS holds about them. You can find out how to do this in Section 8 below.

5. WHERE IS PERSONAL DATA STORED AND SENT?

CRS is based in the UK, and keep their main databases there. All information and personal data held by CRS is stored on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use). CRS also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.

CRS also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to CRS companies or service providers. In both cases, the personal data use in those locations is protected by European data protection standards.

Details of the main processors CRS use and where they operate can be found above in Section 4.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when CRS does send personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this CRS:

• ensures third parties have entered into contractual duty of confidentiality with CRS;
• third parties are obliged to implement appropriate technical and organisational measures to ensure the security of personal data;
• put in place a contract with the recipient containing mandatory terms approved by the European Commission as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.

6. HOW DO WE SAFEGUARD YOUR PERSONAL DATA ?

CRS is committed to protecting the security of your personal data and implementing appropriate technical and organisational measures taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of you, as an individual.

In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure personal information. Credit Resource Solutions are ISO27001 certified which is an international management standard that provides a proven framework for managing information security.

7. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will only retain your personal data for as long as is necessary to fulfil the purpose for which the data was received or to comply with applicable legislation, regulatory requests, and relevant orders from competent courts.

For example, we will typically retain personal data in relation to the management of a debt, for so long as they receive those services and for a period of up to 6 years following closure of a debt account.

In some cases, it may be necessary for us to retain your personal data for different periods. The factors that direct how long we will retain personal data include the following:

• any laws or regulations that we are required to follow;
• whether we are in a legal or other type of dispute with each other or any third party
• the type of information held about you; and
• whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

For more information regarding our retention periods, please contact us at Compliance@creditresourcesolutions.co.uk

Archived data

CRS holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.

8. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Data protection law provides you with a number of rights in relation to your personal data (which are summarized below). You can exercise these rights by contacting us in accordance with section 1 above.

Subject to the requirements of applicable laws and certain limitations or exemption, you have the right to:

• access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
• require us to correct any inaccuracies in your personal data without undue delay;
• require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
• require us to restrict the processing of your personal data;
• receive the personal data which you have provided to us in a machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
• object to a decision that we make which is based solely on automated processing of your personal data.

WHAT CAN I DO IF I WANT TO SEE THE PERSONAL DATA HELD ABOUT ME?

You are entitled to see the personal data CRS holds on you free of charge. In instances where you request a copy of your information from us, if we are processing on behalf of a client we will identify the affected organisation(s) and will forward the request to them on your behalf.

To submit a subject access request on personal data we hold on you when we are the data controller, please contact us at DSAR@CRSgroup.com.

If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in Section 1 above to make your request.

WHAT CAN I DO IF I BELIEVE MY PERSONAL DATA IS INACCURATE?

When CRS receives personal data, we perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers or clients to provide accurate data.

If you think that any personal data CRS holds about you is wrong or incomplete, you have the right to challenge it. Please note, when acting as a data processor CRS won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If you’d like to do this, please use one of the contact channels detailed in Section 1 above.

CAN I OBJECT TO CRS USE OF MY PERSONAL DATA AND HAVE IT DELETED?

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with the above activities. To understand these rights and how they apply to the processing of personal data, it’s important to know that the CRS holds and process personal information for the above activities under the Legitimate Interests ground for processing (see Section 3 above for more information about this), and doesn’t rely on consent for this processing.

You have the right to submit an objection about the processing of your personal data to CRS where it is a data controller. If you want to do this, please use one of the contact channels detailed in Section 1 above.

Whilst you have complete freedom to contact CRS with your objection at any time, please note that under the General Data Protection Regulation (“GDPR”), your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.

CAN I RESTRICT WHAT CRS DOES WITH MY PERSONAL DATA?

In some circumstances, you can ask CRS to restrict how we use your personal data. Your rights are set out at Article 18 of the GDPR. You can find the contact details for CRS in section 1 above.

This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:

• With your consent;
• For the establishment, exercise, or defence of legal claims;
• For the protection of the rights of another natural or legal person;
• For reasons of important public interest.

Only one of these grounds needs to be demonstrated to continue data processing.

CRS will consider and respond to requests we receive, including assessing the applicability

This section tells you what personal data we may collect from you when you use our services, and what other personal data we may receive from other sources. The basis on which we use your personal data is also outlined below.

Your right of data portability

In certain instances, you have a right to receive any personal data that we hold about you in a structured, commonly used, and machine-readable format. You can ask us to transmit that data to you or directly to a third-party organisation.

This right exists only in respect of personal data that:

          (a) you have provided to us previously; and

          (b) is processed by us using automated means.

While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third-party organisation's systems. We are also unable to comply with requests that relate to personal data of others without their consent.

9. Other Matters

Links to third party sites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Updates to this Notice

CRS Ltd may at any time revise this Privacy Notice by updating this posting on its website.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website