Kent and Medway Business Fund (KMBF) privacy notice
Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.
This notice explains what personal (information) data we hold about you, how we collect, how we use it and how we may share information about you.
This privacy notice is in relation to the Kent and Medway Business Fund (KMBF).
Who we are
We are part of Kent County Council. When we collect and use personal information we are regulated under the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 and we are responsible as ‘controller’ of that personal information for the purposes of those laws. Our Data Protection officer is Ben Watts.
The personal information we collect and use
Information collected by us
The Kent & Medway Business scheme is funded by recycled loan repayments from the former Regional Growth Fund schemes (Expansion East Kent, TIGER and Escalate) and aims to deliver investment to businesses across Kent and Medway. The scheme primarily offers 0% loans to small and medium sized businesses with the potential to create new jobs and growth within the Ashford, Canterbury, Dartford, Dover, Folkestone & Hythe, Gravesham, Maidstone, Medway, Sevenoaks, Swale, Thanet, Tonbridge & Malling and Tunbridge Wells local authority areas. Loans can be used to develop new or expand existing products, services, or processes, where these will lead to new jobs, deliver business growth and improve productivity.
To enable us to administer these schemes, KCC collect and hold the following details about your business, its officers and your employees:
- your name, postal address and contact details (email and telephone number), including personal information you provided to KCC when you applied for a loan, (such as: your passport, driving licence, official tax notification, council tax bill, utility bill, bank or building society statement, credit card statement, company accounts, self employed accounts)
- the names and addresses of your employees, including personal information, you provide to KCC during the monitoring period of your loan to support evidencing of job creation (such as contracts of employment, offers of employment, pay slips and payroll reports)
- we also collect, anonymously, sensitive personal data such as gender, age, ethnic origin, health, religion and sexuality as part of our Equality Impact Assessment monitoring.
We also obtain personal information from other sources with your written consent from:
- mortgage and finance companies who have a charge secured on property owned by you if you have offered that property as security of a KCC loan.
We are required by law to check the identity of our loan applicants. This makes it more difficult for criminals to use financial systems, or to use false names and addresses, or to steal the identities of innocent people. Checking identity is an important way of preventing money laundering and other criminal activities To enable us to meet this obligation we will require you to provide certain documents (such as: your passport, driving licence, official tax notification, council tax bill, utility bill, bank or building society statement, credit card statement, company accounts, self employed accounts) to confirm your name and address.
KCC uses your personal information to consider your application to open, maintain and manage your account file and to deal with enquiries you may make or authorise. We collect this information from you directly, from third parties, such as banks or building societies or other financial institutions and your legal representative when authorised to act on your behalf, or from other organisations such as credit reference agencies. When we ask you for this information we explain to you what we need it for and how we plan to use it.
Reasons we can collect and use your personal information
We rely on the following Article 6 (1) clauses of the UK GDPR as the lawful basis on which we collect and use your personal information.
(a) We need your clear written consent by your signature on declaration forms at the application stage for us process your personal data when you submit an application for funding.
(b) We need this information prior to entering into the loan contract and to monitor the performance of the loan contract to which the data subject is party to, in order to take steps.
(c) The application and monitoring process is necessary for compliance with a legal obligation to which we are subject to.
You may withdraw your consent at any time. If you do withdraw your consent no further personal information will be collected and the existing personal information shall only be retained in accordance with KCC’s data protection policy. If you do not provide the information or withdraw your consent your loan application will not be able to be considered.
All applications for a KCC loan awarded under the Kent and Medway Business Fund scheme will be subject to a risk assessment, carried out by an accounting firm (external third party), that will form part of any decision.
Credit checking and fraud prevention
When you apply for a KCC loan and where we believe there may have been a change in your circumstances, we may use the information you give us to assess any business risk by obtaining credit references or to check against information held by The Insolvency Service.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Who we share your personal information with
We routinely share information within KCC about you for all purposes necessary for processing your application with and for:
- updates on scheme progress and quality of applications forthcoming or received
- making lending decisions
- assisting in verifying your identity
- assessing risks
- legal compliance
- preventing or detecting financial crime.
With other organisations
KCC may routinely disclose your information to other people or organisations if any of the following applies:
- We have your consent.
- Members of our independent Investment Advisory Board for the purposes of informing them of the progress and quality of applications forthcoming or received, and to inform their recommendations to KCC as to whether to approve or reject your application for funding.
- Invicta Law Limited, or any other duly appointed legal representative for the purposes of them providing services on behalf of KCC in the production of legal agreements and associated documents in accordance with a loan administered by the Kent and Medway Business Fund.
- Credit reference agencies for verifying information you have given us for example verifying your income when assessing you for a loan.
We will share personal information with law enforcement or other authorities if required to do so by applicable law.
We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings.
We will share personal information with our legal and professional advisers in the event of a dispute, complaint or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
How long your personal data will be kept
If your application is successful, we will hold your personal information for 10 years from the date of loan for us to comply with any statutory or legal obligations or for audit purposes. It will be stored securely.
If your application is unsuccessful, we will hold your personal information for 6 years when it will be securely destroyed.
Under the UK GDPR, you have rights which you can exercise free of charge that allow you to:
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioners Office.
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways.
We will always seek to comply with your request but we may be required to hold or use your information to comply with legal duties. Please note that your request may delay or prevent us from considering your application for a loan.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.
If you would like to exercise a right, please contact the Information Resilience and Transparency Team at firstname.lastname@example.org.
Your right to withdraw your consent
Where we rely on your consent to process your personal information, you can withdraw your consent to our use of your data at any time.
You can do this by contacting the KMBF Programme Management team at email@example.com.
Who to contact
Please contact the Information Resilience and Transparency Team at firstname.lastname@example.org to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer, Benjamin Watts, at email@example.com.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.