IVA Watch Limited trading as Watch Portfolio Management (which hereafter may be referred to as ‘WPM’, ‘IVAW’, ‘we’, ‘our’, or ‘us’) provides the regulated activities of Debt administration and Providing credit information services. WPM are a ‘creditor agent’ acting on behalf of certain banks, building societies, asset management companies, and debt purchasers (our clients) in connection with their portfolios of personal insolvency and debt repayment plans.
We review Individual Voluntary Arrangement (IVA), Bankruptcy, Trust Deed (TD) and sequestration proposals sent by Insolvency Practitioners, and we vote on behalf of creditors which we represent. We also handle other documentation during the life of the IVA or TD until the arrangement ends.
As part of our service for one of our clients, we also arrange updates to credit files with the Credit Reference Agencies.
We do not provide consumers with financial advice.
We perform a similar service for some clients in relation to their customers in the Republic of Ireland proposing for a Personal Insolvency Agreement (PIA), a Debt Settlement Arrangement (DSA) or a Debt Relief Notice (DRN). That service is not a regulated activity defined by the Central Bank of Ireland.
Details of the data controller
Purpose of the processing and the lawful basis for the processing
Categories of individuals
Categories of personal data
Recipients of the personal data
Transfers to third country and safeguards
Data retention period
The General Data Protection Regulation (GDPR) was adopted by the EU in 2016, and the UK government agreed to adhere to it. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation.
In respect of our activities acting as a creditor agent (see ‘Our Service’ above), we receive data from other parties relating to consumers who are /have been account holders of these creditors (our clients). We process and hold this data with permission from our clients (the data controllers) to perform the service contracted by our clients, and in this respect we are data processors.
Our Data Protection Registration Number is Z3499105. Our contact details are shown below.
WPM’s lawful bases for processing are consent and contract.
When individuals enter into a credit agreement (eg for a loan or credit card) this is a legally binding agreement and the creditor has the legal right under contract to receive monies due. Some initial lenders sell some accounts to other firms, ie debt purchasers, who we may also act for.
When an individual is having difficulty making repayments when they fall due in connection with their unsecured loan, credit card, etc, and they contact an Insolvency Practitioner (or Personal Insolvency Practitioner for residents of the Republic of Ireland), they may put forward a proposal to the creditors noting that they are insolvent and offering to pay off monies owed over a period of time. Such proposals include the individuals’ explicit consent to share relevant data, including personal information, with the creditors and/or their representatives. When a proposal is accepted, this is a contract with the creditor.
Creditors (the data controller) may decide to outsource processing of insolvency arrangements to creditor agents like us (the data processor) and this is arranged under contract. In acting as agent for creditors, we will receive information in the IVA or Trust Deed proposal (or PIA, DSA or DRN in RoI) and related information which will enable us to assess the viability of the proposed arrangement and, if approved, to manage the arrangement until it ends.
In performing our service we receive, process and hold personal data relating to individuals (customers of our clients), who are proposing to enter or have entered an IVA, Trust Deed, or other debt management arrangements.
In performing our service we receive, process and hold the following types of personal data: name of individual, contact details (including past & present postal address and on occasions email address and telephone number), date of birth, gender, marital status, number and age of any dependants, employment status, occupation, employer name, residential status, together with account reference, balance of account(s), details of any joint account holders, reason for debt, nature of contribution, personal and household income and expenditure information, assets, name of insolvency practitioner /representative, court records of debt judgments and other publicly available sources. On occasions, we may receive information indicating that a consumer is vulnerable along with information about the consumer’s physical or mental health.
Creditors – When we receive information relating to an insolvency proposal, we contact the creditor to get confirmation of the balance owed. The creditors will already hold consumer information and they are the data controller. If we are advised that a consumer is vulnerable, we will advise the creditor as required.
Insolvency Practitioners (or Personal Insolvency Practitioners in RoI) – We receive consumer data via Insolvency Practitioners and we provide them with details of balances owed by consumers for the purposes of fulfilling our service.
Credit Reporting Agencies – CRAs are companies that maintain websites to allow consumers to monitor and check their personal credit history. Updated consumer credit information is sent to Credit Reporting Agencies, eg. Experian, Call Credit and Equifax, for them to update their registers. Experian have provided a document describing how the three main credit reference agencies use and share your personal data (also called ‘bureau data’) www.experian.co.uk/crain
Government bodies and agencies in the UK and Ireland – eg the Financial Conduct Authority in the event of an audit or fraud prevention agencies.
The UK left the EU on 31 January 2020 and entered a transition period, which ended on 31 December 2020.
Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.
There are transitional arrangements which aim to smooth the transition to the new UK regime.
First, there are provisions which permit the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. This is to be kept under review by the UK Government.
The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are now known as ‘adequacy regulations’.
The EEA consists of the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
The Financial Conduct Authority requires us to keep most records for at least 5 years. It is our practice to retain most data for 6 years after the termination of the arrangement that we are involved in managing. Some of our clients may ask us to retain data for longer, eg 7 years. After this period, we remove personally identifiable data from our records.
The right to be informed – you have the right to be informed and we have provided this Privacy Notice to provide you with the relevant information.
The right of access – Individuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information (most of which is contained in this Privacy Notice).
In respect of data we receive, hold and process in connection with our service, we are a data processor and we process this data on behalf of the creditors (our clients) which are the data controller. If you would like a permanent copy of the data which you believe the data controller holds on you, then a Subject Access Request can be made in writing either by hardcopy or email. The data controller has up to one month to respond to your request. There will usually not be a fee. You will need to provide adequate identification before your request is processed. If the data controller refuses your request, they will tell you why and you will have the right to complain to the Information Commissioner’s Office and to take court action if deemed necessary.
The right to rectification – You have the right to obtain from the data controller, without undue delay, the rectification of inaccurate or incomplete personal data that they hold concerning you. The data controller will have up to one month from their receipt to comply with a data rectification request. This can be extended by two months where the requests for rectification are complex.
The right to erasure (also known as the ‘right to be forgotten’) – You have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This does not provide an absolute ‘right to be forgotten’. Individuals have the right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
In such cases you can write to the data controller to ask them to erase your personal data. Where we or the data controller have to retain records in line with the Data retention period stated above, it may not be possible to complete your request.
The right to restrict processing – You have the right to ‘block’ or suppress processing of personal data.
Subject to exemptions, you have the right to obtain from the data controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by you and is restricted until the accuracy of the data has been verified;
- the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction in its use;
- the data controller no longer needs the personal data for the purposes of processing, but it is required by you for the establishment, exercise or defence of legal claims;
- you have objected to the processing of your personal data pending the verification of whether there are legitimate grounds for the data controller to override these objections.
If the data controller restricts processing, we are permitted to store the personal data, but not further process it.
The right to data portability – The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
All data received by us in the course of the activity described above will be deemed to form part of the service which we provide as a data processor for our clients /the creditor (data controllers). Therefore, to exercise your right to portability, you will need to contact the data controller directly.
The right to object – You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
We process data under contract with our clients, and do not perform the activities listed above. However, if you believe that any of your data is processed in one of the forms listed above and wish to object to such processing, you can address such requests to the data controller.
The rights related to automated decision making including profiling – You have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
WPM do not currently conduct any automated decision making.
Invoking your rights
If you would like to invoke any of the above data subject rights with us, please write to our Head of Operations & Compliance, at Watch Portfolio Management, Units 3 & 4, Lagan House, Sackville Street, Lisburn, BT27 4AB, or email email@example.com.
Data anonymisation and aggregation
Your personal data may be converted into statistical or aggregated data which cannot be used to identify you, then used to produce statistical research and reports.
Questions and queries
If you have any questions or queries which are not answered by this Privacy Notice, or have any concerns about how we may use your personal data, please write to our Head of Operations & Compliance, at Watch Portfolio Management, Units 3 & 4, Lagan House, Sackville Street, Lisburn, BT27 4AB, or phone 028 9260 0700, or email firstname.lastname@example.org.
Further information on your data privacy rights is available on the website of the Information Commissioner’s Office https://ico.org.uk