PRIVACY POLICY
CDER’s Privacy Policy
PRIVACY POLICY
Your privacy is very important to us. We promise to respect and protect your personal information and try to make sure that your details are accurate and kept up to date. This Privacy Policy sets out details of the information that we may collect from you and how we may use that information. Please take your time to read this Privacy Policy carefully. When using our website, this Privacy Policy should be read alongside the website terms and conditions.
Click on the menu items below to quickly navigate to the individual sections of the Privacy Policy.
- About CDER Group
- Our processing of your personal information
- How do we protect your personal information when sending it abroad?
- What marketing activities do we carry out?
- How long do we keep personal information for?
- Automated processing
- Your rights
- How we protect your information
- Contact us
- Updates to this Privacy Policy
- About CDER Group
In this Privacy Policy references to “we” or “us” are to CDER Group Limited. We are part of the Outsourcing Inc. group of companies.
In order to provide our services, we will collect and use data about individuals. This means that we are a ‘data controller’ and we are responsible for complying with data protection laws.
Please note, when providing debt collection and recovery services to His Majesty’s Courts and Tribunals Service (HMCTS), we will receive additional data from HMCTS which may include brief details of a criminal offence which you may have committed, which relates to a debt you owe HMCTS. When we receive and handle such data, in order to provide our debt collection and recovery services to HMCTS, we are acting as a data processor, with HMCTS acting as a data controller – therefore we are not required by law to set out further details in this privacy policy regarding how such data is collected and handled, nor what it is used for, that is the responsibility of the data controller in respect of such data. We recommend therefore that you review HMCTS’s privacy policy for more information.
We have appointed a data protection officer to oversee our handling of personal information. If you have any questions about how we collect, store or use your personal information, you may contact our data protection officer using the details set out in the contact us section.
- Our processing of your personal information
The personal information that we collect will depend on our relationship with you. Please look in the section below that best describes your relationship with us.
In this privacy policy, we refer to individuals who we collect debt from and carry out enforcement action against, whether this relates to criminal or civil enforcement action, as “Customers”.
For example, we will collect more detailed information about you if you are a Customer than we would if you simply made an enquiry about the services that we offer.
Sometimes we will ask for information relating to your health which is known as ‘special categories of information’. When we are carrying out enforcement activities, we are required to determine whether those subject to enforcement action could be regarded as vulnerable. In order to make this determination we may ask you for, or you may volunteer to give us, information about your vulnerability.
If you provide personal information to us about other people you must provide them with a copy of this Privacy Policy and obtain any consent where we indicate that it is required for the processing of that person’s information in accordance with this Privacy Policy.
2.1. Individuals who we collect debt from and carry out enforcement action against.
This section will detail what personal information we collect about you and use if we have been asked to carry out enforcement action against you and collect debt from you on behalf of our clients.
2.1.1. What personal information will we collect?
- Name (surname, forename, middle name)
- Title
- Age range
- Deceased date (where applicable)
- Address
- Email address
- Phone number
- Gender
- Identity (NI number, Driving Licence number)
- Business or company name
- Profession
- Job title
- Employment status
- Employer details (employer name, occupation, office, registered office, start date, salary)
- Car registration and keeper details
- Visual and audio images of you through our use of body worn video, vehicle camera and audio recording equipment
- Council tax band of your address
- Credit reference data
- The location of your address or vehicle
- Financial information such as credit/debit card information
- Bank details that you have permitted us to use on your behalf
- Date of birth
- Information relating to your financial status / solvency
- Information relating to your debt
- Any information in client’s notes
- Details about the property associated with a visit
- Personal information collected pursuant to the debt collection and enforcement process
- Means form information
- Information obtained from credit and tracing checks including lifestyle information such as whether you are ex-directory, have active credit or do online shopping
- Information obtained from public sources such as social media profile names
- Caller line identification
- Recording of telephone calls including those made to agent mobile phone
- Recording of text messages sent to agent mobile phone
- Technical information about any visit that you make to our website, including IP address, login information and information about your web browser and operating systems.
2.1.2. What special categories of information will we collect?
- Information about your physical and mental health, in particular information about any disabilities you may have, illnesses or medical conditions or whether you are pregnant.
2.1.3. How will we collect your personal information?
- From information provided by our clients when they register a new case with us
- From third party Credit Reference and Tracing Agencies
- From public sources such as Google
- From the DVLA
- From specialist third parties who we liaise with to carry out our services such as hire purchase information providers, removal companies and auction houses
- Where we visit your address, from our agents’ body worn video, vehicle camera and audio recording equipment
- Other parties residing or otherwise present at your property when it is attended by enforcement officers
- From information you provide during a recorded phone call or text message with CDER
- From information you provide in written communication you send to CDER
- From information you provide when you register an online account or update your profile on our Customer Portal
- From our website through the use of cookies.
2.1.4. What will we use your personal information for?
We may process your information for a number of different purposes. For each purpose we must have a legal ground for such processing and we will rely on the following legal grounds:
- We have a legitimate business need to use your personal information. Such need will cover all activities required to carry out everyday business activities and will include:
- keeping business records
- using your personal information to carry out our debt collection and enforcement services
- ensuring that we have up to date records
- management information
- statistical analysis
- developing and testing our systems
- analysing our business
- improving the services we offer
- research and statistical projects in which we are involved from time to time
- carrying out strategic reviews of our business model.
When relying on this legal ground, we are under a duty to assess your rights and to ensure that we do not use your personal information unless we can demonstrate a legitimate business need.
- It is necessary to comply with a legal obligation. For example our obligations under the law to protect vulnerable people.
- We have your consent. Your consent is required for us to process personal information provided by you on our Customer Portal, and to share information with the Money and Pensions Service. You do not have to provide your consent and you can withdraw your consent at any time. You do not have the right to withdraw consent where we are not relying on your consent.
When we use your “special categories of personal information” (such as information about your health), we need to have an additional “legal ground” and we will rely on the following “legal grounds”:
- That it is in the substantive public interest.Such as where it is necessary under the law in order to protect the interests of vulnerable people.
- Research and statistics. where we partner with a research body/trade industry body, such as the Enforcement Conduct Board (“ECB“), to assist them in carrying out research into the industry, this may involve us sharing anonymised and/or pseudonymised BWV footage with a research company for them to analyse.
Please see the table below for further details of the different ways we use your personal information and the legal grounds we rely on when doing so.
Purpose for processing | Legal grounds for using your personal information | Legal grounds for using your special categories of information |
To carry out enforcement action and collect debt on behalf of our clients | We have a legitimate interest to fulfil our contractual obligations to our client | Not applicable |
Processing information and evidence about individuals to assess their vulnerability | It is necessary to comply with a legal obligation | It is in the substantial public interest to protect the interests of vulnerable people |
Recording all call centre, agent mobile phone and visit interactions with all individuals who we collect debt from and carry out enforcement action against | We have a legitimate interest to have records of all interactions with customers for business records and, to record any incidents with our staff. Recordings will be used to monitor compliance to legislative requirements, Process, the National Standards, Codes of Practice and for any complaints that arise. | Not applicable |
Taking payment details from customers | We have a legitimate interest to ensure payment can be made in relation to debt we are collecting | Not applicable |
Storing and processing of previous cases for the purpose of enforcing potential future claims | We have a legitimate interest to effectively enforce future claims by our clients | Not applicable |
Construction of a Single Customer View so that all customer cases can be viewed under a single record | We have a legitimate interest to collate information in this way to reduce fees for customers and to ensure that customers are not visited multiple times for different cases | Not applicable |
Augmenting information provided by our clients with information provided from third parties such as credit reference agencies and the DVLA | We have a legitimate interest to supplement information in this way to avoid disproportionate efforts of having multiple collections for our clients | Not applicable |
Augmenting information provided by our clients and third parties with information provided by you on our Customer Portal | We rely on your consent to process this data | Not applicable |
Provide individuals with the option to obtain access to independent debt advice | We rely on your consent to process this data | Not applicable |
Sharing BWV footage with research companies as part of ECB research project | We have a legitimate interest to share such information (noting that it will be pseudonymised and then fully anonymised before being used) to assist in producing a report and updating industry standards/code of conduct to help improve standards across the industry, leading to better outcomes for customers. | Research and statistics condition. |
2.1.5. Who will we share your personal information with?
From time to time, we may share your personal information with companies in the CDER group or with the following third parties for the purposes set out above:
- Our clients who have instructed us to carry out debt collection and enforcement services on you
- Self-employed enforcement agents to assist in delivery of our debt collection and enforcement services
- Credit reference and tracing agencies including Experian Ltd, TransUnion International UK Ltd and Equifax Ltd. See links below for their privacy notices:
- GB Group Plc, Data OD Ltd, UK Search Ltd, Data8 Ltd for tracing, address cleansing and telephone appending
- Cardstream Limited acting as a credit and debit card payment service provider – see linked privacy notice https://cardstream.com/privacy-policy/
- Streamline and Verifone for the processing of PDQ payments
- Ecospend Technologies Ltd for the processing of Open Banking payments
- Adare SEC Ltd for the provision of correspondence and mailing services
- Google for the geocoding of addresses
- Esendex for the sending of SMS to get in touch with you, to remind you of payments that are due and to provide receipts of payments made
- The DVLA
- The Police and Courts
- Vehicle Recovery and Removal Firms
- Auction Houses
- Legal advisers
- Other parties residing or otherwise present at your address when it is attended by enforcement officers
- Other 3rd parties with whom you have authorised us to discuss your personal circumstances
- Insurance Companies, in the event of a relevant insurance claim
- Money And Pensions Service (MAPS) with your consent
- Research companies that have been appointed to view personal information (particularly BWV footage) to undertake research and produce anonymised reports for the ECB (an independent oversight body for the debt collection industry, which CDER is active in)
- Any third parties in the event of a sale, merger, reorganisation, transfer or dissolution of our business.
- Worldpay Limited acting as a credit and debit card payment service provider – see linked privacy notice https://www.worldpay.com/en-gb/privacy
If you would like further information regarding the disclosures of your personal information, please see the contact us section below for our contact details.
2.1.6 Credit and debit card payment service providers we work with
We use credit and debit card payment service providers including Cardstream Limited and Worldpay (UK) Limited to help customers pay debts. When you provide your name and postcode, we will share this with the service provider in order to assist in validating payment. When you provide your card details you interact with the credit or debit card payment service provider, you do so on their terms and conditions and in accordance with their separate privacy policies. We do not control these third-party service providers and are not responsible for their privacy statements. We encourage you to read the privacy policy and terms and conditions of the relevant credit or debit card payment provider to whom you are directed.
2.2. New Occupiers
This section will detail what personal information we collect about you and use if you are a New Occupier of an address that our records indicate was previously occupied by a customer.
2.2.1. What personal information will we collect?
- Name and address
- Evidence that you are the current occupier of the address
- Recording of telephone calls, including those made to agent mobile phone and any information contained in notes of the call
- Visual and audio images of you through our use of Body Worn Video and audio recording equipment
- Photos and any information contained in any notes made by our agents when they visit your property
- Technical information about any visit that you make to our website, including IP address, login information and information about your web browser and operating systems
- New occupier evidence that you send us via post, website forms or email.
2.2.2. What special categories of information will we collect?
We do not collect any special categories of information about you.
2.2.3. How will we collect your personal information?
- From call recordings and where we visit your address, from our agents’ body worn video and audio recording equipment
- From information you provide during a recorded phone call or text message with CDER
- From details you provide when sending correspondence or completing a form on our website
- From our website through our use of cookies.
2.2.4. What will we use your personal information for?
We may process your information for a number of different purposes. For each purpose we must have a legal ground for such processing and we will rely on the following legal grounds:
- We have a legitimate business need to use your personal information. Such need will cover all activities required to carry out everyday business activities and will include:
- keeping business records
- using your personal information to carry out our debt collection and enforcement services
- ensuring that we have up to date records
- management information
- statistical analysis
- developing and testing our systems
- analysing our business
- improving the services we offer
- carrying out strategic reviews of our business model
When relying on this legal ground, we are under a duty to assess your rights and to ensure that we do not use your personal information unless we can demonstrate a legitimate business need.
- Your consent is required for us to process new occupier evidence provided by you via post, email or a form on our website. You do not have to provide your consent and you can withdraw your consent at any time. You do not have the right to withdraw consent where we are not relying on your consent.
Please see the table below for further details of the different ways we use your personal information and the legal grounds we rely on when doing so.
Purpose for processing | Legal grounds for using your personal information | Legal grounds for using your special categories of information |
To check that the Customer, from whom we are collecting, on behalf of our Client, is no longer resident at the address occupied by the New Occupier. | We have a legitimate interest to ensure that we have accurate and up to date records of customers to ensure that we can properly carry out our services to our clients | Not applicable |
Recording all interactions with all New Occupiers | We have a legitimate interest to have records of all interactions with New Occupiers for business records and, to record any incidents with our staff. Recordings will be used to monitor compliance to legislative requirements, Process, the National Standards, Codes of Practice and for any complaints that arise. | Not applicable |
To check that the Customer, from whom we are collecting, on behalf of our Client, is no longer resident at the address occupied by the New Occupier by reviewing evidence you have sent us via post, email or a form on our website | We rely on your consent to process this data | Not applicable |
2.2.5. Who will we share your personal information with?
From time to time, we may share your personal information with companies in the CDER group or with the following third parties for the purposes set out above:
- In limited circumstances, with our clients, in order to resolve complaints.
- Insurance Companies, in the event of a relevant insurance claim.
If you would like further information regarding the disclosures of your personal information, please see the contact us section below for our contact details.
2.3. Web Site Users
This section will detail what personal information we collect about you and use if you use our website, either browsing or interacting with the website to send us a message or register a complaint.
2.3.1. What personal information will we collect?
- Any information you may share with us when you visit our website
- Technical information about any visit that you make to our website, including IP address, login information and information about your web browser and operating systems.
2.3.2. What special categories of information will we collect?
We do not collect any special categories of information about you.
2.3.3. How will we collect your personal information?
Via our website.
2.3.4. What will we use your personal information for?
We may process your information for a number of different purposes. For each purpose we must have a legal ground for such processing and we will rely on the following legal grounds:
We have a legitimate business need to use your personal information. Such need will cover all activities required to carry out everyday business activities and will include:
- keeping business records
- developing and testing our systems
- diagnosing any problems with our website
- responding to enquiries
- assessing usage of our website
- improving the services we offer
When relying on this legal ground, we are under a duty to assess your rights and to ensure that we do not use your personal information unless we can demonstrate a legitimate business need. Please see the table for further details of the different ways we use your personal information and the legal grounds we rely on when doing so.
Purpose for processing | Legal grounds for using your personal information | Legal grounds for using your special categories of information |
To respond to any enquiries you make | We have a legitimate interest to respond to all enquiries made on our website | Not applicable |
2.3.5. Who will we share your personal information with?
From time to time, we may share your personal information with companies in the CDER group or with the following third parties for the purposes set out above:
- No one at this stage.
If you would like further information regarding the disclosures of your personal information, please see the contact us section below for our contact details.
2.4. Third Parties
This section details what personal information we collect about you if you are a 3rd party who happens to have been captured by our video and/or audio recording capability.
2.4.1. What personal information will we collect?
Visual and audio images of you through our use of Body Worn Video, Vehicle Cameras and audio recording equipment.
2.4.2. What special categories of information will we collect?
We do not collect any special categories of information about you.
2.4.3. How will we collect your personal information?
- Where we visit an address where you are present, from our agents’ Body Worn Video and audio recording equipment.
- Our vehicles may be equipped with both internal and external cameras which may capture footage of you.
2.4.4. What will we use your personal information for?
We may process your information for a number of different purposes. For each purpose we must have a legal ground for such processing and we will rely on the following legal grounds:
We have a legitimate business need to use your personal information. Such need will cover all activities required to carry out everyday business activities and will include:
- keeping business records
When relying on this legal ground, we are under a duty to assess your rights and to ensure that we do not use your personal information unless we can demonstrate a legitimate business need. Please see the table below for further details of the different ways we use your personal information and the legal grounds we rely on when doing so.
Purpose for processing | Legal grounds for using your personal information | Legal grounds for using your special categories of information |
Recording all interactions during a visit | We have a legitimate interest to have records of all interactions during a visit for business records and, to record any incidents with our staff. Recordings will be used to monitor compliance to legislative requirements, Process, the National Standards, Codes of Practice and for any complaints that arise. | Not applicable |
In the event of a Road Traffic accident | We have a legitimate interest to have records when a Road Traffic accident occurs so that we can provide evidence where required. | Not applicable |
In the event of a complaint or insurance claim | We have a legitimate interest to have records of interactions with a 3rd parties as these may give rise to complaints or insurance claims. | Not applicable |
Sharing your personal data with the police and insurance companies where necessary | We have a legitimate interest [or have a legal obligation] to share recordings with the police and Insurance companies where an investigation deems this to be necessary. | Not applicable |
2.4.5. Who will we share your personal information with?
From time to time, we may share your personal information with companies in the CDER group or with the following third parties for the purposes set out above:
- In limited circumstances, with our clients, in order to resolve complaints
- The Police and Courts
- Insurance Companies, in the event of a relevant insurance claim
If you would like further information regarding the disclosures of your personal information, please see the contact us section below for our contact details.
- How do we protect your personal information when sending it abroad?
We do not send your personal information outside of the UK (other than to countries within the EEA). In the event that this changes, we will notify you.
- What marketing activities do we carry out?
We do not perform any marketing activities that use your personal information.
- How long do we keep personal information for?
We will only keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 2 above and to comply with our legal and regulatory obligations.
Our Customers: All customer data in all datastores (with the exception of Body Worn Video (BWV) footage) will be scheduled for deletion 6 years after the year in which the customers last case is returned to the client. This means that customer data older than the 6-year threshold will be retained where there is a live case or there has been a live case within the last 7 years (i.e. 6 years plus the year in which the last customer case was returned).
BWV recordings of visit interactions will be deleted 1 year after the date on which the recording was made unless the case is subject to investigation or complaint at this point. In these circumstances BWV footage will be deleted 1 year after the year in which the complaint/investigation is closed. This also applies to BWV footage shared with research companies for research purposes outlined above.
Vehicle camera recordings will be deleted after 60 days from the date on which the recording was made unless the case is subject to investigation or complaint at this point. In these circumstances footage will be deleted 1 year after the year in which the complaint/investigation is closed.
Where we receive vulnerability evidence which contains your personal information, that evidence will be assessed by our back-office team and all photos or scanned documents will be deleted the next working day.
New Occupiers: where we receive evidence, which contains your personal information, that evidence will be assessed by our back-office team and all photos or scanned documents will be deleted 2 working days after completion of the assessment.
For further information regarding how long your personal information will be kept, please see the “Contact us” section.
- Automated processing
We currently undertake some automated processing of your personal information in order to inform our businesses practices, such as comparing your personal information against trends or other data subjects with similar characteristics. None of this processing results in any legal or similar decision making in respect of you.
- Your rights
You have a number of data protection rights which entitle you to request information about your personal information, to dictate what we do with it or to stop us using it in certain ways.
If you wish to exercise the rights set out below, please contact us at any time using the details set out in section 9. There will not normally be a charge for this. Please note, where we use BWV footage for research purposes, some of your rights stated below may not apply in relation to such uses – in particular, where we rely on the research and statistics exemption under the Data Protection Act 2018, as this disapplies such rights.
We respect your rights in relation to personal information we hold about you, however we cannot always comply with your requests. For example we may not be able to delete your information if we are required by law to keep it for a longer period of time or if should we delete your information we would not have the necessary information we need in order to fulfil the purpose for which it was collected.
Your rights include:
- The right to access your personal information
You can request a copy of the personal information we hold about you and certain details of how we use it.
Unless requested otherwise, your personal information will be provided to you by electronic means. If we do not hold an email address the information will be sent by post.
- The right to rectification
We make reasonable efforts to keep your personal information where necessary up to date, complete and accurate. We encourage you to ensure that your personal information is accurate so please regularly let us know if you believe that the information we hold about you may be inaccurate or incomplete. We will correct and amend any such personal information and notify any third party recipients of necessary changes.
- The right to erasure
You can request that we delete your personal information. For example, where we no longer need your personal information for the original purpose we collected it.
Whilst we will assess every request, this request is subject to legal and regulatory requirements that we are required to comply with.
- The right to restriction of processing
Subject to the circumstances in which you exercise this right, you can request that we stop using your personal information, such as where you believe that we no longer need to use your personal information.
- The right to data portability
Subject to the circumstances in which you exercise this right, you can request that we port across personal information you have provided to us to a third party in a commonly used and machine-readable format.
- The right to object to marketing
We do not carry out any marketing activities using your personal information.
- The right to object to processing
In certain circumstances, where we only process your personal data because we have a legitimate business need to do so, you have the right to object to our processing of your personal data.
- Rights relating to automated decision-making
We do not currently carry out any automated decision-making. In the event that this changes, we will notify you and inform you about your rights relating to automated decision-making.
- The right to withdraw consent
We do not rely on your consent to process personal information obtained from other sources, for example our client when they refer your debt to us for collection.
If you have provided us with additional information on our Customer Portal you may withdraw your consent for us to process this information at any time.
- The right to lodge a complaint with the ICO
You have a right to complain to the Information Commissioner’s Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and/or regulations. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk. This will not affect any other legal rights or remedies that you have.
- How we protect your information
We will use all reasonable efforts to safeguard your personal data. We have put in place strict physical, electronic and managerial procedures to safeguard and secure the information we collect.
We put in place confidentiality clauses or confidentiality agreements (including data protection obligations) with our third party service providers.
If you would like more information on how we protect your information please contact us using the details below.
- Contact us
You may contact our data protection officer if you have any questions about how we collect, store or use your personal information:
Data Protection Officer
CDER Group
9th Floor, Peninsular House
Monument Street
London EC3R 8LJ
cder-privacy@cdergroup.co.uk
- Updates to this Privacy Policy
We may need to make changes to this Privacy Policy periodically, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. Our most up to date Privacy Policy will always be shown on our website and will be signposted in all of our communications.
This Privacy Policy (version 19) was last updated on: 9 July 2024.