HCIF Privacy Notice

Privacy Notice

Hitachi Capital (UK) PLC (the Company) is committed to protecting the privacy of your personal information. For the purpose of applicable data protection law, including the Data Protection Act 1998 and, from its entry into force on 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (together, DP Law), the Company is the data controller. You will see the Company referred to as Hitachi and Hitachi Capital Invoice Finance on the site. Our Privacy Notice explains what we do with any personal information which we collect from you, including when you use  our website and when you interact with us in other ways offline, for example during the credit application process. If you have any questions regarding our Privacy Notice, please contact us at the address on the Contact Us page of this site or email us at dataprotection@hitachicapital.co.uk

This Privacy Notice explains how we collect, use and disclose personal information about you when you visit the site and when you contact us, whether by e-mail, post, fax or telephone. The information you provide to us may then be shared with other companies in the Hitachi Capital (UK) PLC group (“Group”). Where we refer to the Company, this will also include the Group unless we explain otherwise.

What type of personal information do we collect?

The personal information we collect from you is used primarily to enable us to provide the specific service you require and to help you access your account, securely.  

Personal information can include the following:

  • your title, forename and surname and gender;
  • your personal or work related (depending on which you choose to submit) e-mail address and your password (which allow us to create your user account and your unique agreement number);
  • your personal or work related contact details (depending on which you choose to submit) such as your telephone number(s), fax numbers and postal address;
  • your date of birth and national insurance number;
  • your marital status;
  • your residential status and address details for the last 5 years;
  • occupation and annual income information where relevant;
  • employment status;
  • employer details and time periods in that occupation and with that employer and any other employers within a 3 year period where applicable;
  • personal information which we obtain from Fraud Prevention Agencies (see the section on ‘Fraud Prevention Agencies’ below);
  • personal information about your credit history which we obtain from Credit Reference Agencies including data which originates from Royal Mail (UK postal addresses), local authorities (electoral roll), the insolvency service, Companies’ House, other lenders and providers of credit (who supply data to the Credit Reference Agencies), court judgments decrees and administration orders made publicly available through statutory public registers (see the section on ‘Credit Reference Agencies’ below);
  • your contact and marketing preferences;
  • if you take a survey or interact with us in various other ways - demographics information and information about subjects that may interest you;
  • information necessary for legal compliance; and/or
  • where you "like" us or make posts on our pages on social networking websites, such as Facebook, Twitter, YouTube and Instagram. 

Personal information also includes special categories of personal data. This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning your health, sex life or sexual orientation.  In the unlikely event that any of this is collected from you during your use of the website or during any other offline interaction with us you may be asked at the point of collection to provide your explicit consent where needed in order to justify our processing of it.  

This information will be collected primarily from you as information voluntarily provided to us, but (as explained above) we may also collect it where lawful to do so from (and combine it with information from) credit reference and fraud prevention agencies, public sources, third party service providers, tax or law enforcement agencies and other third parties. Also, some of the personal information obtained from Credit Reference Agencies will have originated from publicly accessible sources. In particular, Credit Reference Agencies draw on court decisions, bankruptcy registers and the electoral register (also known as the electoral roll).  We explain more about Credit Reference Agencies below.  We have also mentioned above in the lists of personal information that we process some of the Credit Reference Agencies’ other sources of information (which are our own source of information too).   We may also collect personal information about you from your use of other Company or Group websites or services.

The legal basis for our use and other processing of your personal information under DP Law when we are entering into a contract with the organisation that you work for

The core purposes for which we process your personal data and the legal reasons we have for doing that are as follows:

Our legitimate business interests: We need to use your personal data for the following reasons because it is in our legitimate interests as a business: to respond to you if your organisation has asked for information about our products and services, carry out credit reference and scoring checks, check details on proposals and insurance claims, carry  out financial assessments  (which includes taking wealth reports via third party reporting software), carry out anti-money laundering and fraud prevention checks (which may include sharing personal data with fraud prevention agencies), manage accounts or facilities related to credit, provide our products and services to your organisation, manage your organisation’s account on a daily basis, exercise our rights and perform our obligations under our agreement with your organisation, improve customer service, make payments and recover monies, carry out routine checks on your organisation’s directors and invoices to monitor the risks associated with our agreement with your organisation, carry out market research, quality assurance, staff training and marketing (in certain circumstances where your organisation is an existing customer of ours, we are marketing our own similar services to you and we allow you to opt out of receiving marketing from us whenever we send marketing to you)), carry out system development and statistical analysis on your personal data even if your organisation’s application is declined by us or your organisation decides not to complete its application with us. We have carefully considered our legitimate interests and have balanced these against your rights under data protection and we consider this is a proportionate use of your personal data. Please see our full privacy policy for more information about the balancing exercise that we have carried out. 

Other information collected by our website - Cookies and tracking code: We automatically collect standard internet and website log information to understand how our website visitors behave, which we use to improve your experience online.  This may include information about your Internet Service Provider, your operating system, browser type, domain name, the Internet Protocol (IP) address of your computer (or other electronic Internet-enabled device), your access times, the website that referred you to us, the web pages you request and the date and time of those requests. 

Our collection of website use information may also involve the use of cookies and web beacons. Please see the cookies policy on our website for more information.

For sending marketing from us and our group companies: We use your personal data to send marketing to you where you have agreed to this and in circumstances that are not covered by the marketing we carry out under paragraph A above. Please see section 7 below for more information on how we use personal data for marketing.

Complying with our legal and regulatory obligations: We need to use your personal data where we are legally required to verify your identity when contracting with your organisation in order to prevent fraud and to carry out due diligence.

For taking legal action: We need to use your personal data in certain circumstances because it is necessary in order to take legal action to recover money that your organisation owes.

Where we have your explicit consent: We use your personal data to carry out checks for criminal proceedings/convictions as part of verifying your identity or assessing your organisation’s suitability for the products and services that your organisation has requested and deciding whether to enter into an agreement with your organisation. 

The legal basis for our use and other processing of your personal information under DP Law when we are entering into a contract with you personally

The core purposes for which we process your personal data and the legal reasons we have for doing that are as follows:

For entering into a contract with you: We need to use your personal data for the following reasons before we are able enter into a contract with you: to respond to you if you have asked for information about our products and services, carry out credit reference and scoring checks, check details on proposals and insurance claims, carry out financial assessments (which includes taking wealth reports via third party reporting software, and anti-money laundering and fraud prevention checks (which may include sharing personal data with fraud prevention agencies) and managing accounts or facilities related to credit.

For performing our contract with you: We need to use your personal data to provide our products and services to you, manage your account on a daily basis, exercise our rights and perform our obligations in connection with our agreement with you, carry out routine checks on you and your invoices to monitor the risks associated with our agreement with you, make payments and recover monies.

Our legitimate business interests: We need to use your personal data for the following reasons because it is in our legitimate interests as a business: to improve customer service, carry out market research, quality assurance, staff training and marketing (in certain circumstances where you are an existing customer of ours, we are marketing our own similar products and services to you and we allow you to opt out of receiving marketing from us whenever we send marketing to you), carry out system development and statistical analysis on your personal data even if your application is declined by us or you decide not to complete your application with us. We have carefully considered our legitimate interests and have balanced these against your rights under data protection and we consider this is a proportionate use of your personal data.

Other information collected by our website - Cookies and tracking code: We automatically collect standard internet and website log information to understand how our website visitors behave, which we use to improve your experience online.  This may include information about your Internet Service Provider, your operating system, browser type, domain name, the Internet Protocol (IP) address of your computer (or other electronic Internet-enabled device), your access times, the website that referred you to us, the web pages you request and the date and time of those requests. 

Our collection of website use information may also involve the use of cookies and web beacons. Please see the cookies policy on our website for more information.

For sending marketing from us and our group companies: We use your personal data to send marketing to you where you have agreed to this and in circumstances that are not covered by the marketing we carry out under legitimate interests above.

Complying with our legal and regulatory obligations: We need to use your personal data where we are legally required to verify your identity in order to prevent fraud and to carry out due diligence.

For other legal reasons: We need to use your personal data in certain circumstances because it is necessary in order to take legal action to recover money that you owe.

Where we have your explicit consent: We use your personal data to carry out checks for criminal proceedings/convictions as part of verifying your identity or assessing your suitability for the products and services that you have requested and deciding whether to enter into an agreement with you.

This list is not intended to be exhaustive and may be updated from time to time as business needs and legal requirements dictate. Some of the personal information that we maintain will be kept in paper files, while other personal information will be included in computerised files and electronic databases.

Data Anonymisation

We may convert your personal data into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from that data. We may use this aggregated data to conduct market research and analysis, including to produce statistical research and reports.  For example, we may produce reports on which of our product and services are most popular. We may share aggregated data in several ways, including for the same reasons as we might share personal data (see below).

In addition, we may use pixels or transparent GIF files, to help manage online advertising.

How long do we keep your personal information for (and the criteria used to determine this)?

  • Your personal data will not be kept for longer than is necessary to fulfil the specific purposes outlined in this Notice and to allow us to comply with our legal requirements.

The criteria we use to determine data retention periods includes the following:

(i) Retention in case of queries.  We may retain it for a reasonable period (up to 12 months) after you have enquired about one of our products or services in case of follow up queries from you;

(ii) Retention in case of claims.  We may retain it for the period in which you might legally bring claims against us (in the UK this means we will retain it for 6 years after the expiration of your contract or agreement) if and to the extent this is relevant; and

(iii) Retention in accordance with legal and regulatory requirements.  We will consider whether we need to retain your personal data after the period described in (ii) (above) because of a legal or regulatory requirement. Some or all of these criteria may be relevant to retention of your personal data collected in connection with our products and services. 

  • If you would like further information about our data retention practices please contact us (see below).

How do we share your information with credit reference agencies?

In considering whether to enter into this agreement, we may use your personal data for making a credit check on you. We may carry out a search with a credit reference agency (CRA) who will keep a record of our enquiry against your name. We may search your personal records at CRAs which may be linked to your spouse/partner or other persons with whom you are linked financially (“associated records”) and you may be assessed with reference to “associated records”. We share personal data with credit reference agencies on an ongoing basis.

Where any search or application is completed or agreement entered into involving joint parties, we may record details at CRAs, as a result an “association” will be created that will link your financial records.

Where you provide us with personal information belonging to a third party, you must ensure you have obtained the necessary consents in order to disclose information.

We may also add to your or, if applicable, your business’s record with the CRAs details of your or your business’ agreement with us, any payments you or your business makes under it and any default or failure to keep to its terms. These records will remain on the CRAs file for 6 years after our agreement with you or your business is settled or terminated whether settled by you or, if applicable, your business or by way of default. They may add to their record about you, or, if applicable, your business, details of our search and your application whether or not your or your business’ application proceeds. The CRAs supply to us both public (including electoral register) and shared credit information.

We may also make periodic searches of CRAs to manage your or your business’ account with us, including whether to make further credit available or to continue or extend existing credit.

Please contact us if you would like details of the CRAs from whom we obtain, and to whom we pass, information about you.

We share this information with CRAs on the basis that it is in our legitimate interests as a business to make sure we are verifying your or your organisation’s financial position to make sure we can profitably do business with you or your organisation. We have carefully considered our legitimate interests and have balanced these against your rights under data protection and we consider this is a proportionate use of your personal data.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail:

How do we share your information with fraud prevention agencies

IDENTITY VERIFICATION AND FRAUD PREVENTION CHECKS

What we process and share for identity and fraud checks

As well as using your personal information to manage the product or service we have with you, we will also use and share that information about you with fraud prevention agencies including CIFAS and National Hunter who will use it to prevent fraud and money-laundering and to verify your identity. This includes by carrying out fraud checks. All this requires us to process your personal information. We will do these checks before we provide the product or service to you, and periodically at other stages after that. If fraud is detected at any time you could be refused the product or service or have it withdrawn from you. 

The personal information you have provided, we have collected from you (whether directly or indirectly through our partners and brokers), or which has been received from third parties may include your name, date of birth, home address and address history, contact details such as email address, home and mobile telephone numbers, financial information, employment details, device identification including IP and/or MAC address.  

We, and fraud prevention agencies, will use this information to prevent fraud and money laundering, and to verify your identity. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal information to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal information for different periods of time, depending on how that data is being used. You can contact them for more information. If you are considered to pose a fraud or money laundering risk, your data can be held by fraud prevention agencies for up to six years.

Information on these fraud prevention agencies, including their contact information and information on their Data Protection Officers, can be found at:

As part of our processing of your personal information, we may take decisions by automated means. You may automatically be considered to pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, inconsistent with your previous submissions, or if you appear to have deliberately hidden your true identity.

You have rights in relation to automated decision making. There is more detail on this in the Your Rights section below.

  • Consequences of processing for identity and fraud checks

As indicated, if we, or a fraud prevention agency, determine that you pose a fraud risk or money laundering risk, we may refuse to provide the product or service to you and open your account. If fraud is detected at any time you could be refused the product or service or have it withdrawn from you. If you would like to know more you can contact the Data Protection Officer at the fraud prevention agencies (for details about what they do) or our Data Protection Officer (for details about what we do).

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.  If you have any questions about this, you can contact the appropriate fraud prevention agency using the details provided above. 

  • Data transfers for identity and fraud checks

Some fraud prevention agencies may transfer your personal information outside of the European Economic Area. Where they do, they impose contractual obligations on the recipients of that data.  Those obligations require the recipient to protect your personal information to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing and where the framework is the means of protection for the personal information.

  • Lawful processing for identity and fraud checks

When we and fraud prevention agencies process your personal information for the checks described in this section, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also or may also be a contractual requirement in order for us to provide the product or service you have applied for or to open your account relating to that product or service.

  • Your rights in the context of identity and fraud checks

Your personal information is protected by legal rights which include (in the context of the checks described in this section) your rights to object to processing of your personal information, request that your personal information is erased or corrected, or request access to your personal information. If you want to exercise any of these rights, you contact our Data Protection Officer using the details provided and you can also complain to the Information Commissioner’s Office.

Does the Company share my personal information with third parties?

Your personal information will be made available for the purposes mentioned above (or as otherwise notified to you from time to time), on a ‘need-to-know’ basis and only to responsible management, accounting, legal, logistics, audit, compliance, information technology and other corporate staff who properly need to know these details for their functions within the Company. Please note that certain individuals who will see your personal information may not be based at the Group or in your country (please see below).

Where you apply for a product or service your personal information may be shared with the UK’s CRAs to carry out credit reference checks and with the UK’s fraud prevention agencies for the purposes of preventing fraud.

We may share personal information within the Group as needed for reasonable management, analysis, planning and decision making, including in relation to taking decisions regarding the expansion and promotion of our product and service offering, order or customer request fulfilment and for use by those companies for the other purposes described in this Notice.

Your personal information may also be made available to third parties (within or outside the Company or Group) providing relevant services under contract to the Company, or the Group (see below for further details) to help us provide our services and products to you.  Third parties in this context means other corporate entities within the group, providers to the Company or Group of responsible management, accounting, legal, logistics, audit, compliance, information technology, marketing and other services. This may also include providers of call centres, data storage and database hosting services, IT hosting and IT maintenance services. These companies may use information about you to perform functions on our behalf.

We may disclose specific information upon lawful request by government authorities, law enforcement and regulatory authorities where required or permitted by law and for tax or other purposes. Your personal information may also be made available to third parties or partners where necessary as part of any restructuring of the Company or sale of the Company’s business or assets. Personal information may also be released to external parties in response to legal process, and when required to comply with laws, or to enforce our agreements, corporate policies, and terms of use, or to protect the rights, property or safety of the Company, our employees, agents, customers, and others, as well as to parties to whom you authorise the Company to release your personal information.

We will not sell your personal information to any third party other than as part of any restructuring of the Company or Group or sale of a relevant Group business.

Will my personal information be transferred abroad?     

We have explained above how your personal information may be shared outside of the Company and the Group. As part of this, including for instance where we work with service providers, your personal information may be transferred to countries outside the European Economic Area which don’t have equivalent standards of protection under their legislation and on these occasions we take other steps to protect the data as required under DP Law.

The steps we take may include the use of European Model Clause contracts and (where relevant to our suppliers) US Privacy Shield. You can find out what these are by using the Contact/address details below

Managing your marketing preferences

We may wish to provide you with information about new products, services, promotions and offers, which may be of interest to you.  We may also invite you to take part in market research or request feedback on our products and services. This communication may occur by e-mail, telephone, post or SMS. We will seek your consent for this where necessary under DP Law. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data and if you do not wish to consent then please do pay attention to the marketing consent check boxes. 

You also have the right to ask us not to process your personal data for marketing purposes at any time. This means you can change your mind about receiving marketing communications from us when you have previously consented to this.  You can opt-out of receiving such communications by clicking the “unsubscribe” link on any email that we send to you or by emailing our Customer Service team at info@hitachicapital.co.uk at any time.   

Please note that marketing communications are not the same as “information only” communications and that consents are not usually required in order for us to communicate with you about the products or services you have enquired about or have signed up to obtain, using contact details you have provided for this purpose.    

Your rights to access your personal information

You have a number of other rights in respect of your personal information under applicable DP Law. These include the right to access or obtain copies of your personal information and to have inaccurate information about you corrected. 

To exercise your right to access your personal data please write to our Customer Contact Team at Hitachi Capital Invoice Finance5 Hollinswood Court, Stafford Park 1, Telford, Shropshire TF3 3DE

Your rights under DP Law

As well as the right to access the personal information we hold about you, you have a number of other rights in respect of your personal information under DP Law. These may include (as relevant):

  • the right to access or obtain copies of your personal information that we hold (see above);
  • the right to rectification, including to require us to correct inaccurate personal data;
  • the right to request restriction of processing concerning you or to object to processing of your personal data;
  • the right to request the erasure of your personal data where it is no longer necessary for us to retain it;
  • the right to data portability including to obtain personal data in a commonly used machine readable format in certain circumstances such as where our processing of it is based on your consent;
  • the right to object to automated decision making including profiling (if any) that has a legal or significant effect on you as an individual; and
  • where you have an option to provide us with your personal data or not in connection with your use of our website or in connection with any of our products or services, you have the right to be informed about the possible consequences of not giving it to us; and
  • the right to withdraw your consent to any processing for which you have previously given that consent.

Please be aware that some of these rights will only become relevant when changes to DP Law come into force in May 2018.

Please contact us at dataprotection@hitachicapital.co.uk if you would like to exercise any of your rights explained above in relation to your personal information.

Your right to complain to the data privacy supervisory authority

Without prejudice to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the UK’s Information Commissioner if you consider that we have infringed applicable data privacy laws when processing your personal data. In the UK the Information Commissioner’s Office can be contacted using the following link: https://ico.org.uk/.

Keeping you informed

We will keep your details on record until we have completely dealt with your request, enquiry or application and then for a reasonable period afterwards, in accordance with data protection and other applicable legislation.

The Company may keep your details on record for as long as is necessary for the purposes set out above and will then endeavour to delete your details in accordance with data protection and other applicable legislation.

Changes to this Notice

We keep this Notice under regular review. We may change this Notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. The date at the top of this Notice will be updated accordingly and we encourage you to check this from time to time for any updates or changes. Where you have provided us with your email address, we may also contact you to let you know that we have updated the Notice. We may also take that opportunity to ask you if you would like to update your marketing preferences.

By using our websites, submitting your personal information to us, registering an account, registering a customer credit account or interacting with us in other ways, you consent to the use of your personal information as described in this Notice (as amended from time to time).

This Notice does not extend to your use of, provision of data to and collection of data on any website not connected to us to which you may link to by using the hypertext links within our websites.

Contact/address details

If you have any questions about this Notice, please contact us at dataprotection@hitachicapital.co.uk