This Privacy Statement is applicable to processing of personal data of:

• Customers and Suppliers of DLL; and/or
• Individuals that use our services on dllgroup.com or other applicable websites. 

When we mention “Customers” in this Statement we mean: anyone who has at any time agreed to, or applied for, a (financial or Partner) solution offered by DLL, either as an end-user/client or as a Partner. Our “Partners” are equipment manufacturers and their distribution partners (from authorized distributors and independent dealers to resellers).

When we mention “Suppliers” we mean: anyone who has at any time agreed, or offered to, provide any product or service to DLL.

Within the different groups as identified above we may apply different forms of processing. If such differentiation is applicable and deemed relevant by us, we will mark that out in this Privacy Statement.  

For the avoidance of doubt. This Privacy Statement does not apply to our (former) employees and job applicants. There are separate Privacy Statements in place for these individuals.*

‘Personal data’ means any information directly or indirectly relating to an individual or any information that can be used to identify an individual. 

Personal data is ‘processed’ when any activity or set of activities is performed on the personal data. This includes the collection, storage, access, use, transfer, disclosure and removal of personal data. 

We process the following personal data:

• Contact and identification data. Name, address, telephone number, (business) e-mail address, copy of ID/passport, national identification number;
• Contract/Agreement data. Information about your financial situation, information related to our products or services, information related to obtaining financial services, bank account information, your risk profile;
• Data we require to ensure your and our security, to prevent and investigate fraud, to prevent money laundering and financing of terrorism. The personal data that are processed in the external and internal referral registers of Rabobank and in national and international sanctions lists;
• Recorded calls, (recordings of video chat and online chat sessions), documentation of e-mails. Conversations we have with you, and you have with us, by telephone or in online chat sessions. E-mails you send to us and which we receive from you. 
• Data related to the use of our website, portals or. Cookies may collect your IP address, data about the applications and devices you use to visit our website or use of our portals in the context of using our services. 

We only use your national identification number if this is legally permitted, for example to identify the ultimate beneficial owner (UBO) of an organization in accordance with our legal obligations.

Special categories of personal data are considered to be more sensitive. This can be confidential information regarding, for example, a person’s health condition, criminal record or data relating to ethnic or racial origin.

We will only process special categories of personal data where necessary for the applicable purposes. Please see below the special categories of personal data and the purpose related to it. 

We collect your personal data in the following ways:

• if you apply for a financial or Partner solution, either as an end-user/client or as a Partner;
• if you offer a product or service to us;
• when you visit our ‘DLL Group’ website (for further details, see cookie statement);
• by receiving it from third parties (e.g. personal data we receive from our Partners, Chamber of Commerce, Credit Registration Office, Companies Registry and personal data that we receive from companies to which you have given consent to share your data with us);
• if you enter your personal data on our website with the request to contact you;
• via email or telephone (if you contact us);
• when you visit a DLL office via our visitor-registration 
• from affiliates within the Rabobank Group (see paragraph 10).

By law, every personal data processing activity must have a legal basis. This is a justifiable reason to process your personal data. 

Prior to the processing of personal data, we will define the purpose(s) of the processing and will not process personal data in a manner which is not compatible with those purposes. In any event, we will obtain your consent to process your personal data to the extent it is mandatory under the local laws applicable to DLL.

We process your personal data for the following purposes:  

To enter into a Customer or Supplier relationship and contract with you.
Purposes
Prior to entering into a Customer or Supplier relationship with you, we need to process your personal data. For example, we need to do the following examinations in order to assess whether we can accept you as a Customer or Supplier:

• Integrity check: When entering into a Customer relationship with you, as a financial institution, we consult available external and internal referral registers of Rabobank, incidents registers and warning systems and national and international sanctions lists.
• Verify identity: When entering into a Customer relationship with you, as a financial institution, we confirm your identity. We can do this by making a copy of your identity document, which we will only use for identification and verification purposes.
• Know Your Customer: We believe it is important and necessary that we have good knowledge of our Customers.

For checking your integrity and identity, we may also rely on checks performed by other financial institutions.

• Credit check: We evaluate whether we can offer our services to you before entering into a Customer relationship.

As part of the evaluation we assess your credentials from a risk perspective and validate whether you are able to fulfil the payment obligations under the contract. This method is called credit scoring, which is based on automated decision-making. More details, including the logic and legal basis for automated credit scoring, are described in Paragraph 8.

Legal basis
We process your data for these purposes because we are under a legal obligation to do so and/or because it is necessary to enter into a contract with you.

To fulfil your contract.
Purposes
Once we have entered into a contract with you, we process your personal data to fulfil the contract as set out below:

• Account management and contract management: We process your personal data for the purpose of establishing and maintaining our business relationship with you. We also may contact you to seek solutions if arrears should emerge or to inform you about the remaining term or outstanding obligations.
• Services: : To provide certain services that are part of the agreement involving third parties, for example, where we perform ‘bill and collect’ services for our Partners.
• Use of (mobile) applications: We allow you to use our online services. If you use our (mobile) applications and/or portals, we collect your personal data for identity and access management purposes.
• Complaint handling: We may process your personal data to enable us to handle any complaint or claim that you might have.

Legal basis
We process your personal data for these purposes because this is necessary in order to perform the contract with you.

To comply with legal obligations.
Purposes

• Observing laws and regulations and providing data to governments, authorities and regulators: We are obliged, based on (international) laws and regulations, to collect, analyze and sometimes transfer your personal data to relevant governments or (supervisory) authorities. See also paragraph 10.
  
  We must observe laws and regulations to be able to offer financial services to you.
  
  In addition, we must observe laws and regulations to prevent fraud and criminality, such as the law for preventing money laundering and financing terrorism, which includes that we must determine the ultimate beneficial owner (‘UBO’) of the company with whom we enter into an agreement.
  
  Where tax authorities, courts or other appropriately authorized governmental authorities request your personal data, we are legally obliged to cooperate with the investigation and for that purpose disclose your personal data.
• Risk models: Based on European regulations we are legally obliged to make risk models, which can include your personal data. This allows us to determine our risks as well as the extent of the financial buffer we must hold, when providing financial services to you. These risk models calculate the chances of you getting in arrears. These enable us, to prevent possible payment difficulties and/or handle these faster.

Legal basis
We process your data because we are under a legal obligation to do so, or because we would otherwise not be permitted by law to perform an agreement with you so that we can comply with a statutory or other legal obligation. In case a law or regulation does not specifically set out that we need to process personal data to meet a legal obligation, but we do require such processing in order to meet that legal obligation we have a legitimate interest to apply such processing.

To ensure the security and integrity of you, us, and the financial sector.
Purposes
As a financial institution, we process your personal data securely and prevent fraud, money laundering and the financing of terrorism.

• Incident registers and warning systems: : If you wish to become our Customer or are already our Customer, we will consult internal (Group) incident registers and warning systems. Also, public authorities provide us with names of individuals, with whom financial institutions must not do business, or to whom the financial sector must pay extra attention. We must enter these names into our warning systems. If we consult incident registers and/or warning systems, we may enter your personal data in these registers/systems. In that case, we will notify you unless we are not allowed to do so, for example because the police ask us not to notify you in the interests of their investigation.
• Continuous integrity check and Know Your Customer: When you are our Customer, as a financial institution, we continue to consult external and internal referral registers of Rabobank, incidents registers and warning systems and national and international sanctions lists. We also perform Know Your Customer on an ongoing basis.
• Publicly accessible sources:We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud, anti-money laundering and prevention of terrorist financing.

Legal basis
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of the performance of a contact or in the legitimate interest of DLL, the financial sector or our Customers and employees. Such legitimate interest being the protection of the integrity and security of each of the aforementioned parties.

To help develop and improve products and services.
Purposes
We develop and improve products and services on an ongoing basis. We, our Customers or other parties benefit from such activities.

• Improving our website: We may process your personal data when analyzing your visit to our website with the aim of improving our website, portals or (mobile) apps. We use functional cookies and comparable technology for this. Where needed, we will obtain your consent (e.g. for marketing and analytical cookies). See our Cookie Statement for more information.
• Improving quality of our services: We make and may store recordings of telephone conversations, e-mail messages and online (video) chat sessions. We do this to improve the quality of our services, for example by assessing, coaching and training our employees.
• Research to improve our products and services: We may carry out research to improve our products and services, by asking you for example to voluntarily give your reaction or to review a product or service. Such research is either managed internally or we engage a third-party who will solely process your personal data on our instructions and for this purpose only.
• Creating Customer profiles and interest profiles: Analyzing personal data allows us to see how you use our products and services and to categorize you into Customer groups. This enables us to create Customer profiles and interest profiles. When producing these analyses, we also use information obtained from other parties and publicly accessible sources.

Legal basis
We process your data because we have a legitimate interest in acquiring information to improve the products and services that we offer as such enabling us to become a preferred and better qualified supplier for you and other Customers. Where needed we may also ask you for your consent to process your personal data for the purpose of developing and improving our products and services. If you do not give your consent, this will not affect the services we provide to you. You can withdraw your consent at any time.

To carry out business processes, management reporting and internal management.
Purposes
To carry out business processes, management reporting and internal management we process your personal data:

• Credit risk: Financial products involve credit risk. We have to determine the level of that risk, so that we can calculate the financial buffer we need to maintain. In connection with this, we process personal data related to your financial obligations towards us.
• Transfer of receivables/securitisation: In the event that we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable privacy and data protection laws and regulations.
• Internal audits and studies: Where needed, we may use your personal data to perform internal audits and investigations, for example in order to examine how well new rules have been introduced or to identify risks.
• Carry out our business processes: We use your personal data to carry out, analyze and improve our business processes so that we can help you more effectively. Where possible, we will anonymize or pseudonymize your personal data first.

Legal basis
We have a legitimate interest to categorize and establish risks that are inherent to our business, and accordingly take measures to minimize or transfer (part of) these risks and improve our business processes for the benefit of you and us.

For archiving purposes, scientific or historic research purposes or statistical purposes.
Purposes
We may process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymize or pseudonymize your personal data first.

Legal basis
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the data on the basis of the legitimate interest of DLL, the financial sector or our clients and employees.

Where we indicated we have a legitimate interest for processing in this paragraph, we take into regard that our legitimate interest does not override your fundamental rights and freedoms.

We will only make a decision based solely on automated processing including profiling which produces legal effects concerning you or significantly affects you, in case it is allowed by law and we have notified you.

Our credit-scoring is based on automated decision-making. 

Logic of automated credit-scoring
A pre-defined minimum-score is required to have you accepted as a Customer. The higher the score, the smaller the risk you pose to creditors. In addition, you may be disqualified by showing up on watch-lists published by the financial sector or the Rabobank Group.  

The credit-score is calculated based upon several components:

Below, we list the most important components that influence your credit score:

1. Your financial standing: Based upon personal data provided by you in the process of credit-scoring, we consult external credit rating agencies to acquire relevant financial information (credit-rating, financial statements, turn-over/solvency, payment history). If you already have or had a relation with us in the past, we combine the aforementioned (external) financial information with internal payment history related to you;
2. The applicable conditions and characteristics of the DLL Partner Program under which you apply for a financial solution;
3. Activity codes of the branch(es) in which you operate and the type of asset(s) you want to finance with us.

Significance and envisaged consequences of automated credit-scoring 
In case the minimum-score is not achieved, the automated credit-scoring results in a decline. In that case, DLL will refrain from entering into an agreement with you since we deem the risks involved for DLL too high.

Specific rights you have relating to automated decision making 
Your credit score is calculated based on automated decision making, however, this will always be balanced against your right to request a manual review of the decision.
You have the right not to be subject to a decision based solely on automated credit-scoring. Based upon the notification that automated credit scoring will be applied to you, you can object to such automated credit scoring. In that case a manual human intervention will be part of the credit scoring applied by us.
 
When automated credit scoring is finalized and you want to express your point of view and contest the (automated) decision, you also have the right to invoke human intervention. In that case a person will review and reassess the automatically generated decision.

Legal basis of the credit score

There are different applicable legal grounds that apply to different credit checks, which will vary case-by-case and are described below:

1. the decision is made by DLL for purposes of (a) entering into, or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by DLL was made by you; or
2. In certain cases where the legal ground mentioned under a) does not apply to us, we may base our processing of your personal data on a legal obligation to do so. Such ground will be depending on the existence of applicable law that requires us to assess your ability to fulfill your payment-obligations under the contract with us before entering into such a contract.  
3. We, or our Partners, will ask your consent before we, or our Partners, perform a credit check or credit score.

Only personnel who require access for the purposes as stated in paragraph 5, 7 and 8 will process your personal data. All our personnel are bound by a duty of confidentiality. 

DLL will process your personal data for the purposes for which these were originally collected. Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose corresponds to the original purpose. 

We are committed to keep your personal data secure. To prevent unauthorized access or disclosure, we have taken technical and organizational measures to safeguard and secure your personal data. These security measures are aimed at preventing your personal data from being used illegitimately or fraudulently. In particular, we use security measures to ensure the confidentiality, integrity, and availability of your data as well as the resilience of the systems and services that process them and the ability to restore data in the event of a data breach. Where possible, we aim to secure your personal data using pseudonymization or encryption measures. In addition, we test, verify and regularly evaluate the effectiveness of our technical and organizational measures in order to ensure continuous improvement in the security of processing personal data.

a. Within the Group
We are a wholly owned subsidiary of De Lage Landen International B.V., who is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (‘Rabobank’ and together with its subsidiaries, the ‘Group’).

Your personal data may be shared within the Group for legitimate purposes, when those entities comply with the rules of Rabobank described in the Rabobank Privacy Code. For example, because your application for a financial product needs involvement of Rabobank when it exceeds certain hurdles.

This Rabobank Privacy Code describes the requirements that all Group entities worldwide must meet and guarantee an appropriate level of protection of personal data and serve as the Binding Corporate Rules of the Group.

b. Outside the Group
Your personal data may also be transferred to third parties outside the Group if we are legally obliged to do so, because we need to identify you before we enter into an agreement with you or because we use a third party for meeting the obligations we entered into with you. We may also pass on your personal data to tax and supervisory authorities or (national) data protection authorities.

If you do not pay on time, we may transfer your personal data to third parties that we need in the context of our services (for example, bailiffs and lawyers). 

We may pass on your personal data to Partners to work together on Customer opportunities and/or remarketing strategies. For example, we can share the start and end date of the contract or relevant developments that happen during the duration of the contract with our Partners.

We may transfer our agreement with you to another financial institution. Once the agreements have been transferred, the other party will also process your personal data. We agree with the other party that it must comply with privacy and data protection laws and regulations.

We may share personal data with third parties (such as our marketing agencies or suppliers) that process personal data on our behalf for commercial/marketing purposes. 
 
Sometimes we engage Partners and third parties for processing personal data on our instructions where it is necessary in connection with the purpose for which we collected your personal data. For example, when a Partner supports us in providing our services to you or a company that stores data for us.

We could also disclose your personal data to any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent necessary for the establishment, exercise or defense of legal rights in accordance with applicable law. Besides that, we could also disclose your personal data to any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law.

The third parties must first be deemed sufficiently reliable from a privacy and data protection perspective. We only engage third parties if this fits the purposes for which we process your personal data. In addition, these third parties can only be involved if they enter into proper contracts with us, have implemented appropriate security measures and guarantee that your personal data will remain confidential.

We do not store your personal data longer than we need to for the purposes for which we have collected it. We have implemented appropriate technical and organizational measures to ensure that only people that have a right to access your information can access it. For example, our marketing people have access for a shorter period compared to our people that require access for tax purposes.

We will delete personal data at an earlier time if you request us to delete your personal data, unless another law prevails. In certain cases, we may use different retention periods. For example, if a supervisory authority requires us to store certain personal data longer,  if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving, legal proceedings, or for historical, scientific research or statistical purposes.

a. Right to access and rectification

You can ask us to access your personal data processed by us. Should you believe that your personal data is incorrect or incomplete, then you can ask us to rectify or supplement your personal data.

You can ask us to erase your personal data as processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will execute your request.

You can ask us to limit the personal data processed by us. We may refuse a restriction request if we have a lawful reason to continue the processing of the personal data (e.g. the exercise of a contract, a legal archiving duty, or the establishment, exercise or defense of legal claims).  

You have the right to ask us to receive the personal data that you provided to us in connection with a contract with us or which was provided to us with your consent, in a structured and machine readable format or to transfer your personal data to a third party. Should you ask us to transfer personal data directly to a third party, then this can only be done if it is technically possible.

You have the right to object if we process your personal data, for example if we record telephone conversations. If you object to processing, we will determine whether your personal data can indeed no longer be used for those purposes. We can then decide to cease the processing of your personal data. We will inform you about our decisions and motivations. You have also the right to request that we stop using your personal data for direct marketing purposes. We will then take steps to ensure you are no longer contacted for direct marketing purposes.

If you have given your consent to us for specific processing of your personal data, you can at any time withdraw your consent. From that moment, we are no longer allowed to process your personal data.

If you want to exercise your rights as described in paragraph 12, or for questions related to this Privacy Statement, please click the button below to submit your request.

Submit a request or complaint

We will respond within one month after we have received your request. In specific cases, we are allowed to extend this period with another 2 months. In order to process your request, we will request you to provide sufficient information to identify you. We may also request you to further specify your request.

We will do our best to handle your request, question or complaint in a timely and appropriate fashion. 

If you feel we did not handle your request, question or complaint timely or appropriately, you can also contact the DLL Group Data Protection Officer: privacyoffice@dllgroup.com.

If you still feel we did not handle your request, question or complaint timely or appropriately, you can also contact your local Data Protection Authority. You can find the contact details of your local Data Protection Authority below: 

Office of the Privacy Commissioner for Personal Data (PCPD)

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

This Privacy Statement will be updated from time to time. For example, in case of additional legal requirements or if we process personal data for new purposes. Please note that you can find the latest version of this Privacy Statement on our website, www.dllgroup.com.