Kinto

Who we are

KINTO U.K. Limited, registered in England and Wales No. 837940. KINTO’s Registered Office is: Haven House, Compass Road, Portsmouth, PO6 4RP.  Our principal place of business and contact information is set out below.  We also trade under the name LeaseMyCar and KINTO One.

We provide vehicle leasing and fleet management services to corporate customers and in addition, also offer a personal contract hire leasing product to individual consumers and other services to individuals.  This means we are both controllers and processors in relation to personal data, depending upon the services.

Vehicle Leasing and Fleet Management Services provided to corporate customers:

Where we provide vehicle leasing and fleet management services to our corporate customers we are primarily processors of the personal data of those customers’ drivers and employees.  Where applicable, this means that the controller of this personal data is your employer and KINTO is responsible for processing your personal data on their behalf. This means that your employer will need to provide you with a separate privacy notice informing you of how they will use your personal data.

In some cases though we will be the controller of your personal data and if so, this Privacy Notice will apply to our collection and use of your data.

We have set out in the table below a summary of the services we provide and whether we are controllers or processors of your personal data.

Services provided directly to individual consumers:

Where we provide you with personal contract hire services under our trading name, LeaseMyCar, we are acting as controllers and this Privacy Notice will apply to you.

Where we provide an individual with an opportunity to purchase a vehicle previously leased to their employer (or the employer of a friend or family member) we are acting as controllers and this Privacy Notice will apply to you.

How you contact us about data protection

For general data protection queries, to report a breach or potential data protection breach or notify us that you wish to assert your rights as an individual please contact our Data Protection Team:

By email:               dpo@kinto-uk.com

By phone:             0333 222 0966

By post:
For the attention of: Data Protection Team, KINTO U.K. Limited, Haven House, Compass Road, Portsmouth PO6 4RP

Regulatory Authorities

KINTO has notified the Information Commissioner’s Office that we may obtain information about you as the data subject. Our registration number is Z566271X.  You may search the register of data controllers for our registration information here: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/

KINTO is also authorised and regulated by the Financial Conduct Authority (No. 311776).  We are a credit broker and not a lender.

Personal Data gathered by us

We will receive or collect information from you in a variety of different ways, including:

• Visits to our websites (including registering as a user);
• Using our driver portals (or those operated by our suppliers);
• Directly via post, email or telephone;
• When you respond to our surveys, enter competitions or respond to promotions;
• When you contact us in relation to matters involving your vehicle;
• From our suppliers (such as when they deliver or collect a vehicle, service, maintain or repair your vehicle or provide breakdown assistance);
• From other third parties (such as the DVLA, legal, government or enforcement agencies or insurance providers);
• From your employer when they instruct us to contact you in relation to their company vehicle scheme or other company requirement (such as checking your driving licence);
• From you when you contact us (or via a recruitment agent) when you wish to apply for a vacancy. Although please note that we do provide a separate Privacy Notice to employees and candidates.

The types of information we might collect about you include:

• Identifying: this includes your full name, previous names, identifiers such as employee number, marital status, title, date of birth, gender (including, where applicable, information about any additional drivers you nominate or next of kin/emergency contact information), government issued identification (such as your driving licence number and National Insurance number);
• Financial: this includes bank account or card information (for certain services), information about your credit records and history, credit worthiness, adverse credit and transaction information. It may also include information about your tax records and private or capital contributions related to vehicles;
• Contact: this includes your address (home and work), telephone number(s), email address, work contact information and, where applicable, this information about additional drivers;
• Professional: this includes information about your job title, employee number, use of company vehicles and other information your employer may need us to process in relation to their company vehicle scheme if appropriate;
• Tracking and Technical: this includes information about your IP address, vehicle location data, dash-cam footage, login data, usernames, browser type and version, plug-in types, operating system and other technological information that may be collected when you visit our websites and portals;
• Social: this includes information you provide to us via social media (including messaging, “liking”, “following”) and other communications;

The special categories of information we might collect about you include:

• Medical and health: this includes information about your physical or mental health where it relates to driving, your employers car scheme or applying for finance for personal contract hire. This may be limited information following an accident, or information about any restrictions issued by the DVLA in relation to your driving licence or, where we act as credit brokers, information relating to vulnerability to ensure that we comply with our FCA regulations and Treating Customers Fairly policy;
• Driving related convictions and offences: this includes information about any driving-related endorsements, criminal convictions, fines and traffic offences.

What we do with your Personal Data

We will ensure that we only use your personal data where we are permitted to do so by applicable laws.  This includes the GDPR but also other laws relating to the protection of privacy and information.

Where we act as a controller data protection legislation requires us to tell you the appropriate grounds for our processing of your personal data. There are a number of legal bases for processing but the ones on which we are most likely to rely on include:

1. Legitimate interests – this means we will process your personal data in the interests of our business and providing you with services and products. We must ensure we balance your own legitimate interests when we do this and we cannot use this ground for processing if your legitimate interests override ours (unless there is another basis for processing, such as consent or compliance with laws).

2. Compliance with a legal or regulatory obligation – this means we will process your personal data where we are obliged by law to do so. For instance this could be where we need to provide a law enforcement authority with information about the driver of a vehicle because it has been involved in an incident or has received a speeding endorsement.

3. Performance of a contract – you may have agreed a contract directly with us to provide you with services (such as LeaseMyCar or if you are purchasing a vehicle at the end of a lease). If this s the case we will process your personal data in order to perform our obligations under the contract.

4. Consent – we do not use this ground very often but where we do we will ensure we have obtained it lawfully and that we give you the opportunity to withdraw it.

Our full Privacy Notice here provides you with detailed information regarding how we use your personal data but we have provided a shorter summary below:

• To provide you or your employer with services and products, including;
  • Personal contract hire services
  • Sales of ex-leased vehicles to individuals
  • Business vehicle leasing services
  • Fleet management services – which includes service, maintenance and repair, accident and incident management,
  • Short term hire services
  • Risk management and driving licence check services
  • Autobid services (a product aimed at business customers to provide competitive a quoting platform with multiple lenders)
• To provide you with details of your employer’s company vehicle schemes and how to access our websites and driver portals;
• To comply with your employer’s instructions regarding vehicle services even if you do not drive a vehicle that has been leased by us (such as recording mileage information);
• To assist you with making an application for finance and securing funding on your behalf, which shall include introducing you to financial services organisations, such as companies and banks which provide funding for leases;
• To administer fines, penalties, endorsements and other driving offences;
• To enable you to complete a survey or leave a review;
• To advise you of vehicle lease renewal and/or special offers;
• To notify you of changes to our services, terms and conditions, privacy notices;
• To advise you of any issues regarding your vehicle (such as manufacturer safety issues) or to remind you of when it is due for a service;
• To analyse and improve our website, portals, services and products and enhance and develop the customer experience;
• To receive promotional offers from us which are related to the products and services we provide;
• For the purpose of preventing and detecting fraud;
• To process a job application, obtain references and conduct background checks and screening when a candidate applies for a vacancy.

If we have collected your data for one purpose we will not use it for another purpose unless we have justification and an appropriate legal basis for doing so or we have obtained your express consent.

Cookies

Our Cookies Notice here describes how we use cookies in more detail.

Who we share your personal data with

When we provide our services to you or your employer we use a variety of suppliers to assist us.  Where we need to do so in our legitimate interests in order to fulfill our obligations to you we may have to share your personal data with these carefully selected suppliers.

We take our obligations regarding your personal data seriously and we will ensure that we comply with the requirements of the data protection legislation in relation to appointing sub-processors.  This means we will put in place with our suppliers contracts which require those third parties to protect your personal data and to only use it for the specific purposes we have instructed them to use it for.

We use a large number of suppliers so we have not provided a full list in this Privacy Notice.  We can confirm that the categories of third party that we may share your personal data with in order to provide our products and services include:

• Vehicle Manufacturers;
• IT Providers;
• Service, Maintenance and Repair Providers;
• Vehicle Breakdown and Recoveries Providers;
• Short Term Hire Providers;
• Accident and Incident Management Providers;
• Risk Management and Driving Licence Checking Providers;
• Financial Organisations, Banks and Credit Brokers;
• Credit Reference Agencies;
• Marketing Agencies;
• The Toyota Group;
• Legal, Governmental and Regulatory Authorities;

The third party suppliers may also share your data within their group of companies or other third party companies who provide services to them so that they and any other companies in their group can look after your relationship with us and them.  We will ensure that our contracts with the third party suppliers require those third party suppliers to ensure that their own contracts with their third party suppliers contain at least the minimum standard of obligations set out in the data protection legislation.

Some of our third party suppliers will be data controllers in their own right.  If they are in receipt of your personal data or they collect it from you directly they will provide you with a copy of their individual privacy notices.

If you are a Director of our corporate customer then we may send your identity and contact data to our funders so that they may complete a credit and fraud check as applicable.

Transferring Personal Data outside of the European Economic Area

We do not routinely transfer your personal data outside of the European Economic Area (“EEA”) and we use all reasonable endeavours to select suppliers who provider assurances that personal data is stored and processed within the EEA.  With any international cloud technology providers however (such as Microsoft and Salesforce) there is small possibility that personal data that is stored within the EEA is accessed outside of the EEA for technical support or account assistance.  We therefore ensure that where we use technology providers or similar suppliers who potentially access personal data from outside of the EEA we ensure that we put in place adequate measures to ensure the protection of such personal data (such as using the EU’s model clauses or the US Privacy Shield framework).

How we protect your Personal Data

KINTO has high standards in relation to the technical and organisational measures we put in place to protect your Personal Data.  We hold the ISO/IEC 27001 certification for our Information Management System and are certified under the Government backed scheme, Cyber Essentials.  We also hold the ISO9001 (quality management) and ISO 14001 (environmental management) standards.

How long we will keep your Personal Data for

We will hold your Personal Data for no longer than is necessary for the purposes for which we are processing it.  When it is no longer required we will securely dispose of it.

In certain circumstances we need to keep data for a minimum period, such as where we have to comply with a contract, or for insurance, tax, legal and financial reasons. Where this is the case we will retain it for 7 years after you have ceased being a customer.

If we have anonymised or pseudonymised your Personal Data (so you can no longer be identified by it) we may use or hold the information for longer periods without notice.

What rights you have in relation to your Personal Data

Under data protection legislation, all individuals have certain rights in relation to their Personal Data. These are summarised below but more detail is provided in our full Privacy Notice:

1. The right to be informed: this means we need to inform you of our data processing activities. We do this by providing you with this Privacy Notice.
2. The right of access: this means we need to provide you with access to your Personal Data.
3. The right of rectification: this means we must rectify your Personal Data if it is inaccurate or incomplete.
4. The right to erasure: in certain circumstances you may ask us to erase your Personal Data (the “right to be forgotten”).
5. The right restrict processing: this means we must restrict the processing of your Personal Data where it is unlawful, you have contested its accuracy, we are considering whether we have an alternative legitimate ground to process after you have objected to processing or we no longer need the data but you require it to establish, exercise or defend a legal claim.
6. The right of data portability: this means we must provide you with a method to move, copy or transfer Personal Data easily from one IT environment to another in a safe and secure way in certain circumstances. We will usually provide it to you in CSV or Excel formats.
7. The right to object: this means you have the right to object to our processing in some cases (particularly in relation to direct marketing).
8. Rights in relation to automated decision making and profiling: this means you are entitled to object to purely automated processing or decision making, including profiling, and if you do we must provide you with the opportunity to obtain human intervention, express your point of view and obtain an explanation and challenge it. There are limitations to this right however.

Please contact us if you would like to discuss or exercise these rights. For some of these rights, if we are acting as a data processor for a particular service, we may require you to contact the data controller first (which may be your employer). If you have requested these rights we will also work with our third party suppliers to ensure they are aware of your decisions.

There is no fee for exercising these rights unless your request is clearly unfounded, repetitive or excessive (and then we can charge you a reasonable fee).   If it is clearly unfounded, repetitive or excessive we may refuse your request. If we do, you may complain to the Information Commissioner’s Office (ICO).

We will try our best to respond to all legitimate requests within one month. If your request is complex or there are a number of requests from you it may take us longer, but in any event we will respond within two months.

If you wish to request one of these rights we will need to verify your identity before we do so.  We may also ask you for further information to clarify what you are asking from us.

Our full Privacy Notice may be provided upon request.

What rights you have if you are not happy with the way we process my Personal Data

If you have any concerns about the way in which we are processing your personal data please contact our Data Protection Lead in the first instance on dpo@kinto-uk.com

You also have the right to make a complaint to the Information Commissioner’s Office, whose website address is www.ico.org.uk and who can be contacted by telephone on 0303 123 1113.

This version of the Privacy Notice is dated 01 April 2020.