PRIVACY NOTICE FOR CURRENT AND PROSPECTIVE CUSTOMERS
PNC Financial Services UK Ltd (“we”, “our”, “us”) are committed to protecting the personal data of individuals associated with the companies with which we do business. As an asset-based lender to the private equity community, mid-market companies and other businesses, our core activities involve only limited personal data processing. This notice (“Notice”) sets out how and why we collect, use and disclose the personal data that we receive from or in relation to our current and prospective customers.
This Notice may be amended from time to time. We will post changes to this Notice on our website and any changes will take effect 30 calendar days after posting. We recognise our continuing transparency responsibilities and will take reasonable steps to bring to the attention of our customers any material changes to this Notice when they are posted.
2. DATA CONTROLLER
PNC Financial Services UK Ltd is the data controller. We are registered in the United Kingdom with company number 07341483, and our registered office address is PNC Business Credit, PNC House, 34 -36 Perrymount Road, Haywards Heath, RH16 3DN.
Questions, comments and requests regarding this Notice may be emailed to privacyBCUK@pnc.com or sent by post to the above mentioned address.
3. WHAT PERSONAL DATA DO WE COLLECT AND WHY?
This section covers the different sources and categories of personal data that we collect and otherwise process, why we do so, and the lawful bases for our processing.
A – Sources of Personal Data
We may obtain personal data about individuals associated with our customers or prospective customers (including their employees, officers, major shareholders or other associated individuals) in connection with loan applications or services from the following sources:
a) the individual directly (for example, by telephone, via our website, by e-mail, when a representative of, or individual associated with, our customer fills out our forms, or in the course of providing our services);
b) our customer;
c) credit reference agencies (which may search the UK Electoral Register);
d) fraud prevention agencies, CIFAS, or other organisations;
e) our own affiliates;
f) various subscription services; and/or
g) publicly available sources (for example, governmental websites, company registries, search engines and social media sites).
B – Personal Data that We Collect and Process
As part of The PNC Financial Services Group, Inc., a US-headquartered financial institution, we have a legal obligation to carry out due diligence on our customers in compliance with various anti-money laundering, counter terrorism, anti-bribery and anti-corruption, tax and other similar legislation prior to providing lending services to a customer. To do this, we may request personal data relating to our customers’ officers, authorised signatories, direct/indirect shareholders, trustees, settlors, protectors and beneficial owners. We may also process the personal data of the directors of any parent or subsidiary that provides our customers with credit support. This may include:
a) a copy of a passport, driver’s licence, national identity card or any other equivalent identity document;
b) proof of residential address (for example, a copy of a utility bill, bank statement or any other equivalent document confirming the residential address);
c) the results of searches run by third parties or against publically available information where such results may include the following categories of personal data: name, address, date of birth, directorships, convictions, disqualifications and notices of correction; and/or
d) a specimen signature.
We may conduct real-time and/or automated screening against politically exposed persons and prohibited and/or sanctioned persons lists published by various regulators from time to time or checks through certain subscription services.
We may also collect contact details including name, title, postal address, telephone number(s) and email address, and other verification details of individuals associated with our customers. If an individual associated with our customer contacts us, we may keep a record of that correspondence.
C – Why do We Collect Personal Data and What Are Our Lawful Grounds for Doing So?
Our legal obligations
We need to collect personal data about individuals associated with our customers in order to comply with our legal obligations, including:
a) for assessment and analysis necessary to prevent and detect money laundering, including but not limited to carrying out any relevant anti-money laundering and sanctions checks and fulfilling our obligations under any relevant UK anti-money laundering law or regulation (including under The Money Laundering,
Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017); and / or
b) to comply with any other UK regulatory obligations which apply to us.
Where an individual associated with a customer or prospective customer is unable to provide us with their personal data and review of such data is a legal or a contractual requirement in relation to the provision of our services, we may be compelled to refuse to offer our services in that circumstance.
Our legitimate interests
The personal data we collect also is used to carry out and protect our business interests including the following:
a) to manage accounts;
b) to develop and improve the services we provide to our customers;
c) to assess and analyse in order to prevent and detect fraud and other crime;
d) to carry out regulatory and sanctions checks required by foreign laws or regulations to which we or our affiliates are subject;
e) to meet our obligations to relevant non-UK government or regulatory authorities;
f) to carry out operational and administrative actions;
g) to establish and maintain commercial relationships;
h) to exercise or to defend legal claims; and/or
i) to inform our customers of products, services and events that may be of interest by various means, including by letter, telephone, messages, e-mail and other electronic methods. Where we use electronic means of communication to provide individuals associated with our customers with marketing information, we will seek their prior consent where required by law to do so.
4. SHARING OF YOUR INFORMATION
We share personal data relating to our customers and other business contacts among affiliates, and also with trusted third party vendors and business partners. The purposes for these transfers are set out below. We do not sell your personal data to third parties.
A – Our Affiliates
We may disclose your personal data to any member of the PNC Financial Services Group, Inc. family of companies for the following business purposes:
a) to facilitate the credit decision-making process;
b) to carry out global AML/KYC processes; or
c) to store personal data on our central systems.
In so doing, our affiliates may be data controllers and/or data processors of the personal data that we share with them. As data controllers and/or data processors, these affiliates will process your data in line with intra-group data transfer agreements that we have entered into with the relevant members of PNC Financial Services Group, Inc. in line with the requirements of the UK Data Protection Act 2018 and UK General Data Protection Regulation (“UK GDPR”).
B – Our Service Providers
We may disclose information about you to organisations that provide a service to us or are acting as our agents, on the understanding that they will keep the information confidential and will comply with contractual safeguards in line with the UK GDPR requirements.
For example, we may share your information with the following types of service providers:
a) technical support providers who assist with our website and IT infrastructure;
b) third party software providers, who may include ‘software as a service’ solution providers, where the provider hosts the relevant personal data on our behalf;
c) professional advisers such as solicitors, accountants, tax advisors, auditors and insurance brokers;
d) money laundering and compliance search providers;
e) providers that help us store, collate and organise information effectively and securely, both electronically and in hard copy format, and for marketing purposes;
f) providers that help us generate and collate reviews in relation to our services; and/or
g) providers that help us analyse or evaluate our data collection process or customer service fulfilment.
C – Government and Regulatory Authorities
We may disclose information about you if we have a duty to do so or if required by a UK governmental, banking, taxation or other regulatory authority or similar body, or by the rules of any relevant stock exchange or pursuant to any applicable UK law or regulation or if the law allows us to do so. Otherwise, we will keep information about you confidential.
D – Credit Reference and Fraud Prevention Agencies
In some cases, we may need to share your personal data with authorised credit reference and fraud prevention agencies in order to obtain information from them that is necessary to make credit assessments and to prevent and detect fraud, money laundering and other crimes.
When considering a loan application from a customer or making lending decisions, we may request background checks on associated individuals to be carried out by credit reference agencies, which may keep a record of the search in line with their own obligations and responsibilities.
In regard to background and credit checks on individuals associated with our customers, we reserve the right to carry out further checks from any of these sources from time to time for fraud prevention and credit control purposes.
Should an unaffiliated third party request a bank or credit reference from us, or any other request for a reference that concerns you, we will not provide such a reference without your written permission.
E – Other
We may also disclose your personal data:
a) as permitted by law in order to investigate, prevent or take action regarding illegal activities, suspected fraud, violation of our intellectual property rights, situations involving potential threats to the physical safety of any person, violation of the terms of our agreements, or as required by law;
b) in the context of mergers and acquisitions, we may transfer your personal data to potential purchasers and their advisors, subject to appropriate confidentiality obligations, in the event the we decide to dispose of all or parts of our business; and
c) with our advertising and promotional agencies and consultants and those organisations selected by us to carry out marketing campaigns on our behalf, subject to appropriate contractual safeguards.
5. TRANSFERS OUTSIDE THE UNITED KINGDOM
In general, when transferring your personal data outside the UK, we will only do so if one of the following safeguards is in place:
a) the transfer is to a third country covered by UK adequacy regulations;
b) the transfer is covered by a contractual agreement, which covers the UK GDPR requirements relating to transfers to countries outside the UK; or
c) the transfer is to an organisation which has Binding Corporate Rules approved by the UK government.
We may occasionally rely on derogations; our basis for these transfers would be one or more of the following:
a) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;or
b) the transfer is necessary for the establishment, exercise or defence of legal claims.
You may request a copy of the relevant documentation from us using the contact details provided in Section 2 above.
6. OUR RETENTION POLICY
We retain personal data only for as long as necessary for the purposes for which the data was collected, except where necessary to meet our legal obligations (for example, in relation to AML requirements) or in order to establish, exercise or defend potential legal claims.
7. YOUR RIGHTS
If you are an individual covered by this Notice, you have the following rights in relation to your personal data under the UK GDPR:
a) to obtain information on how we handle your personal data and access documents which contain your personal data;
b) to request us to correct or update your personal data if it is inaccurate or out of date;
c) to object to the processing of your personal data where we have indicated in Section 3 above that our legitimate interest is the lawful basis for processing your data, or where decisions about you are based solely on automated processing, including profiling;
d) to erase personal data about you that is held by us:
i. which is no longer necessary in relation to the purposes for which is was collected,
ii. to the processing of which you object, or
iii. which may have been unlawfully processed by us;
e) to restrict processing by us, i.e. to restrict processing to storage only:
i. where you oppose to deletion of your personal data and prefer restriction of processing instead, or
ii. where you object to the processing by us on the basis of our legitimate interests;
f) to transmit personal data that you submitted to us back to you or to another organisation in machine- readable format under certain circumstances; and
g) to withdraw your consent at any time, in the limited circumstances in which we may rely on your consent to process your personal data.
These rights are not absolute and are subject to various conditions under:
• applicable data protection and privacy legislation; and
• the laws and regulations to which we are subject.
For general questions regarding this Notice or if you at any time decide that you would like to exercise any of these rights, please contact us using the contact details provided in section 2 above.
If you are unhappy with how we have dealt with your request or concern, you have the right to file a complaint with the Information Commissioner’s Office, the UK supervisory authority. For more details, please visit the ICO’s website: https://ico.org.uk/concerns/handling/.