Fair Processing Notice – Loan Guarantee Arrangement
The Isle of Man Government, through the Treasury (‘the controller’), is offering a Loan Guarantee Arrangement (‘the Arrangement’) as part of a number of financial measures that are being put in place in order to provide financial assistance to local individuals and businesses that have been affected by the COVID-19 pandemic.
1. The Data Protection Law
The controller acknowledges its obligations pursuant to the Data Protection (Application of GDPR) Order 2018 and the GDPR and LED Implementing Regulations 2018 (‘the Data Protection Law’) which provides a number of requirements in terms of processing activities involving personal data. The controller further acknowledges the general principles of processing as well as the rights of a data subject, which are contained in the Data Protection Law, at Articles 5 to 22 of the Data Protection (Application of GDPR) Order 2018 in the Annex.
2. Information to be given to Data Subjects
The Data Protection Law outlines the information that must be given to data subjects before or at the time the personal data is collected from the data subject. This information can be summarised as follows:
The identity and contact details of the controller and data protection team
See the details in section 3 of this notice
Whether any of the personal data is special category data
None of the personal data collected by the controller for the Arrangement constitutes special category data, as defined by the Data Protection Law.
The source of the personal data
None of the personal data processed for the purpose of the Arrangement has been collected from a publically available source. All of the personal data has been collected directly from the respective lenders (banks and other lending companies) or their professional advisors which collected the personal data directly from the individual(s) requesting financial support via the Arrangement.
The purposes and the legal basis of the processing
The personal data collected for the purposes of the Arrangement is:
- the full name of the applicant and in the case of a body corporate this will include the directors and other significant living individuals who control the applicant’s business
- accompanying financial information including the amount of new loan or overdraft under the Arrangement and the purposes for which it is to be used
- Whether the applicant has previously applied for a loan or overdraft and any information as to why it was refused or approved
- the amount of existing borrowing facilities and current sums advanced or committed
- repayment term of loan (length of period)
- details of any security taken against the new borrowing
- confirmation that the payments on existing borrowings are up to date, or details of any arrears, any holiday period that has been granted and any revised terms during the life of the loan.
The controller may also hold and process personal data belonging to employees of:
- Applicants and their professional advisors
- Lenders and their professional advisors
The lending companies will process applications received from customers, including determining whether the application is eligible for the Arrangement, and will make a decision whether to approve or decline the application. There may be an automated process for some of the Arrangement which is operated by the lending company, and the applicant will need to review the lending company’s privacy statement to find out if any decisions are subject to automated decision making.
The lending companies will then provide details of the customer applications, both approved and declined, in order that the controller can monitor and calculate their exposure and therefore future liability under the Arrangement. Once an application has been approved, the controller will then process the personal data in order to give effect to the support offered by the Arrangement.
The lawful basis for the processing by the controller is that processing is necessary for the exercise of performance by a public authority of a function that is of a public nature, or a task carried out in the public interest (contained in Article 6(e) of the Data Protection (Application of GDPR) Order 2018)). In provision of the Arrangement, the controller intends to provide for financial assistance in the exceptional circumstances of the COVID-19 pandemic, using powers in the Financial Provisions and Currency Act 2011.
Where the lawfulness of processing is based on the processing being necessary for the legitimate interests of the controller or a third party, the legitimate interests concerned
The controller is not relying on “legitimate interest” as a lawful basis for processing.
The recipients or categories of recipients of the personal data, if any
The personal data may be disclosed to:
- Other Departments, Boards or Offices of the Isle of Man Government; and/or
- Professional advisors of the Isle of Man Government;
- Banks and other financial institutions engaged by the Isle of Man Government in relation to the Arrangement
Personal data transferred to an authorised or an unauthorised jurisdiction
Personal data may be transferred to the following jurisdictions under the Arrangement:
- Jersey,
- Guernsey,
- United Kingdom.
Although Isle of Man branches of a bank may administer the application process, certain levels of approvals are often sought, or advice in other jurisdictions from ‘group’ arrangements such that branches in the Isle of Man will locally administer but may transfer data outside of the Isle of Man.
The period for which the personal data is expected to be stored
The personal data will be stored by the controller 6 years following the date of the loan being repaid by the applicant under the Arrangement or written off by the controller. Full privacy information, including the retention schedule for documents held by the controller which can be found here.
The data subject rights under the Data Protection Law
For more information in relation to the data subject rights:
- Visit the controller’s privacy notice
- Contact the Data Protection Officer for the controller by e-mail
- Find an explanation of data protection law, and privacy information for other organisations within the Isle of Man Government; or
- Visit the website for the office of the Isle of Man Information Commissioner.
- Review the Data Protection Law:
- Data Protection (Application of GDPR) Order 2018 (see Articles 5-22 of the Annex to the Order)
- GDPR and LED Implementing Regulations 2018
Where the lawfulness of processing is based on consent, the existence of the right to withdraw consent at any time
When applying for financial support under the Arrangement, individuals provide their consent to processing until such a time as their application is approved by the controller. Individuals can withdraw their consent at any time and their application will be withdrawn. Once an application has been approved, the lawful basis for processing relates to the contractual agreement in place between the controller/lender, and the applicant.
The right to complain to the Information Commissioner
Please see section 3 of this notice
Decisions made based on automated processing
No processing decisions will be based on automated processing.
3. Contact Details
The contact details of the controller are as follows:
Financial Governance Division
Treasury
First Floor
Central Government Office
Bucks Road
Douglas
Isle of Man
IM1 3PX
The contact details for the controller’s Data Protection Officer are as follows:
Email:DPO-Treasury@gov.im
Website: www.gov.im/about-the-government/departments/the-treasury/privacy-notice/
Telephone: +44 1624 686791
The contact details for the Isle of Man Information Commissioner are as follows:
The Office of the Information Commissioner
Prospect Hill
Douglas
Isle of Man
IM1 1ET
E-mail ask@inforights.im
Website: www.inforights.im
Telephone: +44 1624 693260