Privacy Notice
We take your privacy very seriously. Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or the UK data protection authority (the Information Commissioner’s Office or the ICO) in the event you have a complaint.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It is important that you read this privacy notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your personal data. This privacy notice supplements the other notices and is not intended to override them.
Should you wish to obtain an electronic or hard copy of this notice, please contact us (see below: ‘[How to contact us]’).
Our Website (as defined below) is not intended for children and we do not knowingly collect data relating to children.
Who we are
West 28th Street Limited’s principal business is acquiring, financing and prosecuting claims relating to a business that is insolvent, facing a restructuring or closure. We are a ‘controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data. To contact us, please see below ‘[How to contact us]’.
Key Terms
The following are some key terms used in this privacy notice and an explanation of what those key terms mean:
|
we, us, our
|
means West 28th Street Limited, a company incorporated in England and Wales with company number: 13231491 |
|
our Website |
means www.west28th.co.uk |
|
personal data |
means any information relating to an identified or identifiable individual |
|
special category personal data |
means data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data (when processed to uniquely identify an individual) and data concerning health, sex life or sexual orientation |
Personal data we collect and use
The type of personal data we collect depends on our relationship with you and the method by which we collect the personal data.
The table below sets out the personal data we may collect about you.
Identity personal data | Name |
Title | |
Account numbers/similar identifier | |
Date of birth, if we ask for this or you choose to give this to us | |
Gender or pronouns, if you choose to give this to us | |
Marital status, if we ask for this or you choose to give this to us | |
| Job title |
| Name of your employer or the organisation you represent |
| Employment information |
| National insurance number |
Contact personal data | Work/personal email address |
Work/home address | |
Work/home telephone number(s) (landline and/or mobile) | |
Contract personal data | Information relating to your contract(s) with us |
Financial personal data | Information relating to your loan/debt |
| Information to enable us to undertake credit and other financial checks on you |
Technical personal data | Information from when you visit our Website, including your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website |
Website Enquiry personal data | This includes information you provide when you fill in forms on our Website |
Other personal data
| Information we ask for or that you volunteer to us when you correspond with us by email, post, telephone or text, in person, or via our Website or information from social media accounts when interacting with us via a personal profile (e.g. Facebook, Instagram, Twitter or LinkedIn) |
We collect and use this personal data for the purposes described in the section: ‘[How and why we use your personal data]’ and ‘[How and why we use special category personal data]’ (see below).
If you do not provide personal data
For customers who are individuals (this includes sole traders and traditional/unlimited partnerships), where we need to collect personal data to enter into a contract with you and you fail to provide that data when requested, we may not be able to enter the contract with you. This personal data may include your name and contact details.
How your personal data is collected
We collect most of your personal data directly from you – in person, by telephone, text or email and/or via our Website. However, we may also collect information:
- From publicly accessible sources, e.g., Companies House.
- Directly from a third party, e.g.,
- credit reference agencies such as Experian.
- an assignor of your loan/debt.
- an employee or representative of the organisation you represent.
How and why we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason (i.e. a lawful basis) for doing so, e.g.:
- to comply with our legal and regulatory obligations.
- for the performance of our contract with you or to take steps at your request before entering into a contract.
- for our legitimate interests or those of a third party.
- where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
What we use your personal data for
The table below explains what we use your personal data for, how we use your personal data, our lawful basis for doing so and the categories of personal data we use.
|
For other individuals who represent organisations with whom we have contracts e.g. suppliers – for corresponding with you and for taking steps under the contract with your organisation |
We will collect your personal data and use it to correspond with you about the contract involving the organisation you represent. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies |
Necessary for the legitimate interests of the organisation you represent and our legitimate interests e.g. to manage and take steps under the contract with your organisation: Article 6(1)(f) UK GDPR |
Identity personal data
Contact personal data
Other personal data |
|
To undertake credit reference checks via external credit reference agencies |
We will collect your personal data and pass it to external credit reference agencies for the purposes of a credit reference check |
Necessary for protecting our legitimate interests: Article 6(1)(f) UK GDPR |
Identity personal data Contact personal data Financial personal data Other personal data
|
|
To manage our relationship with you or the organisation which you represent, which may include (where appropriate) notifying you about changes to our terms of business or privacy notice |
We will use your personal data to correspond with you where appropriate
|
Necessary for our legitimate interests i.e. to manage our relationship with you or the organisation you represent, and to analyse and improve the services we offer: Article 6(1)(f) UK GDPR |
Identity personal data
Contact personal data
Contract personal data
Financial personal data |
|
To prevent and detect fraud against you or us |
We will check and monitor the security of our email and IT systems which hold your personal data and undertake other verification checks of your personal data (as necessary) |
Necessary for your and our legitimate interests i.e. to minimise fraud that could be damaging for us and for you: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
For audits, enquiries or investigations by regulatory bodies (e.g. the Information Commissioner’s Office) or law enforcement agencies |
We will extract your personal data from our IT systems and disclose it as required by law or further to a court order |
Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law or a court order): Article 6(1)(c) UK GDPR |
Potentially any data held |
|
To ensure our business policies are adhered to e.g. policies covering security |
We will check our use of your personal data against our business policies |
Necessary for our legitimate interests i.e. to make sure we are following our own internal procedures so we can deliver the best service we are able to: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
To ensure the confidentiality of commercially sensitive information |
We will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data |
Necessary for our legitimate interests i.e. to protect trade secrets and other commercially valuable information: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
To prevent unauthorised access and modifications to our systems |
We will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data |
Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR Necessary for our legitimate interests or those of a third party i.e. to prevent and detect criminal activity that could be damaging for us and for you: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
To update and maintain our customer and supplier records |
We will enter and hold your personal data in the relevant parts of our IT systems and we may hold your personal data in manual records |
Necessary to take steps at your request before entering into a contract with you: Article 6(1)(b) UK GDPR Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR Necessary for our legitimate interests or those of a third party i.e. to make sure we can keep in touch with you where necessary: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
For staff management, training and administration |
We will access and use your personal data held in our IT systems and may use it in emails between our staff and for training purposes |
Necessary for our legitimate interests i.e. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service that we are able to: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
To deal with complaints or legal claims against or brought by us |
We will review your personal data in our IT systems and may collect other information relevant to the complaint/legal claim. We will review any information collected and assess the merits of any complaint or legal claim. We may also communicate with third parties as necessary to seek advice/representation and/or in connection with legal or prospective legal proceedings. Any personal data collected will be stored in our IT systems and destroyed in accordance with our data retention and other business policies |
Necessary for our legitimate interests i.e. to ensure that we are able to respond to any complaints or legal claims made against us: Article 6(1)(f) UK GDPR |
Potentially any personal data held |
|
For the external audit of our accounts |
We will provide access to such personal data held in our IT systems as is required by our auditors in connection with their audit of financial transactions |
Necessary for compliance with a legal obligation to which we are subject (section 475 Companies Act 2006): Article 6(1)(c) UK GDPR
|
As required by our auditors in connection with the statutory audit of our accounts |
|
To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
We will use your personal data held in our IT systems |
Necessary for our legitimate interests e.g. for running our business, network security and to prevent fraud: Article 6(1)(f) UK GDPR Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR |
Potentially any personal data held |
|
For recording and/or reporting accidents at our premises or connected with our services or business |
We will use any personal data collected to (where appropriate) deliver first aid, call the emergency services and record/report the accident. Any personal data collected will be stored in our IT systems and destroyed in accordance with our data retention and other business policies |
Necessary for compliance with a legal obligation to which we are subject (e.g. health and safety legislation): Article 6(1)(c) UK GDPR |
Identity personal data
Other personal data |
|
To provide personal data to other third parties that have or may acquire control or ownership of our business or part of our business (and our or their professional advisers) in connection with a corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency |
We will extract your personal data from our T systems and disclose it as necessary |
Necessary for your and our legitimate interests (e.g. to ensure continuity of our business and services): Article 6(1)(f) UK GDPR |
Potentially any personal data held
Where possible information will be anonymised during a transaction and until completion of the transaction but this may not always be possible |
How and why we use special category personal data
Under data protection law, we can only use special category data where:
- we have a proper reason for doing so (see above: ‘[How and why we use your personal data]’); and
- one of the number of potential ‘grounds’ for using special category data set out in data protection law applies to our use.
There are a number of potential grounds for using special category personal data under data protection law.
Generally, where we use special category personal data, we will do so on the grounds that this is necessary for establishing, exercising or defending legal claims. This includes using special category personal data, where necessary, for:
- actual or prospective court proceedings;
- obtaining legal advice; or
- establishing, exercising or defending legal rights in any other way.
Where this does not apply, we will only process special category personal data where processing is necessary for reasons of substantial public interest or with your explicit consent.
Where we rely on consent as a lawful basis to process your personal data, you have the right to withdraw your consent at any time. To do this, please telephone, email or write to us (see below: ‘[How to contact us]’).
Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
Who we share your personal data with
Depending on the circumstances, we may share your personal data with:
|
Category of recipient |
Further details of recipients |
Use by recipient |
Relevant categories of personal data that may be shared with the recipient (depending on service provided/reason for sharing) |
|
Third parties where necessary to recover debts and to take legal action |
Professional advisers e.g. solicitors and collection agencies |
For assisting, advising and representing us as necessary |
Potentially any personal data held |
|
Our insurers, brokers and professional advisers in the event of a complaint or legal claim against us or where we require external advice or assistance |
Professional advisers e.g. solicitors, barristers, IT specialists |
For assisting, advising and representing us as necessary |
Potentially any personal data held |
|
Credit check provider
|
Experian |
To provide the results of a credit check search |
Identity personal data Contact personal data Financial personal data
|
|
External auditors |
Auditors of our accounts |
For the audit of our financial and other records |
As required by our auditors in connection with our audit (see above: ‘[What we use your personal data for]’) |
|
External IT service providers |
e.g. website hosting provider
|
For providing the relevant IT service to us |
Identity personal data Contact personal data Contract personal data Financial personal data Technical personal data Website Enquiry personal data Other personal data |
|
Law enforcement/regulatory agencies/emergency services |
e.g. the Information Commissioner’s Office |
For their investigations |
Potentially any personal data held |
|
Other parties that have or may acquire control or ownership of our business or part of our business (and our or their professional advisers) in connection with a corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency |
|
|
Potentially any personal data held Where possible information will be anonymised during a transaction and until completion of the transaction but this may not always be possible |
We only allow our service providers (who are processors of your personal data) to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on those service providers to ensure they can only use your personal data to provide services to us. Other recipients, such as our professional advisers who are controllers of your personal data due to the nature of the services they provide are bound by confidentiality obligations.
How long your personal data will be kept
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including;
- to respond to any questions, complaints or claims made by you;
- to show that we treated you fairly; and
- to keep records required by law to comply with our legal and regulatory obligations.
We will not retain your data for longer than necessary for the purposes set out in this privacy notice. Different retention periods apply for different types of personal data. For debt matters, generally we will not keep personal data for longer than seven years, although in certain circumstances this may be extended to thirteen years.
Transferring your personal data outside of the UK
It is sometimes necessary for us to share your personal data outside the UK e.g. with our service providers located outside the UK (see above: ‘[Who we share your personal data with]’). If this is necessary, we will ensure the transfer complies with relevant data protection law by ensuring that e.g.:
- the country to which the personal data is being transferred is subject to an adequacy regulation further to Article 45 of the UK GDPR i.e. it has been decided by the UK government that the particular country ensures an adequate level of protection of personal data;
- the transfer is necessary for the performance of a contract between you and us further to Article 49 of the UK GDPR;
- the transfer is necessary to establish, exercise or defend legal claims further to Article 49 of the UK GDPR;
- there are appropriate safeguards in place between us and the organisation receiving it together with enforceable rights and effective legal remedies for you (e.g. by the use of approved data protection contractual terms); or
- you have provided explicit consent to the proposed transfer after being informed of any potential risks under Article 49 of the UK GDPR.
Please contact us (see below: ‘[How to contact us]’) if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.
Your rights
You have the following rights, which you can exercise free of charge:
Access | The right to be provided with a copy of your personal data |
Rectification | The right to require us to correct any mistakes in your personal data |
Erasure (also known as the right to be forgotten) | In certain situations, the right to require us to delete your personal data |
Restriction of processing | In certain situations, the right to require us to restrict processing of your personal data e.g. if you contest the accuracy of the data. You can ask us to stop processing the personal data whilst we look into the accuracy issues |
Data portability | In certain situations, the right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party |
To object | The right to object in certain situations to our continued processing of your personal data e.g. where processing is carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims |
To withdraw consent | If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time. To do this, please contact us (see below: ‘[How to contact us]’). Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn. |
We do not use personal data for automated decision making.
For further information on each of the above rights, including the circumstances in which they apply, and/or if you would like to exercise any of these rights please contact us (see below: ‘[How to contact us]’).
Keeping your personal data secure
We have put in place reasonable and appropriate security measures to endeavour to prevent personal data from being accidentally lost, used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
For users of our Website, unfortunately, the transmission of information via the internet is never completely secure. We cannot therefore guarantee the security of your data transmitted via our Website; any transmission is at your own risk. Our Website may, from time to time, contain links to other websites plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our Website, we encourage you to read the privacy notice/policy of every website you visit before you submit any data to these websites.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your personal data. If you want to complain about how we have used your personal data, please email us (see below: ‘[How to contact us’]). However, if we are not able to resolve your complaint to your satisfaction, you can complain to the Information Commissioner’s Office (ICO). Further information about how to make a complaint to the ICO can be found on the ICO website www.ico.org.uk.
Changes to this privacy notice
We may change this privacy notice from time to time and when we do so, we will inform you via our Website. If any changes are likely to have an adverse impact on your rights under data protection law, we will use reasonable endeavours to notify you of the changes in advance in writing or by alternative means.
Changes to your personal data
It is important that the personal data we hold about you is accurate and current.
Please let us know if you change your name, address or any other personal details (see below: ‘[How to contact us]’).
How to contact us
If you have any queries about this privacy notice or how we use your personal data, you can contact us by email or post as follows:
Email: fsl@west28th.co.uk
Post: West 28th Street Limited, 124 City Road, London, EC1V 2NX
14-November-2023
Document Version 1