Data protection policy | Chaser

Data protection policy

1. Introduction

1.1 This Data Protection Policy sets out how Chaser Technologies Limited (”Chaser,we,us,our”) handles the personal data of its customers, suppliers, employees, workers and other third parties. Our registered address is 124 City Road, London, England, EC1V 2NX. Chaser is registered with the Information Commissioner’s Office, under registration reference ZA068741.

1.2 This Data Protection Policy uses words and terms defined in Data Protection Laws. These terms and definitions are set out in Section 3 below to help you understand this policy.  

1.3 This Data Protection Policy applies to all Personal Data Chaser processes, regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject. It helps set out Chaser’s legal obligations and processes which Staff must follow. Please refer to Chaser’s Staff Privacy Notice which provides further information on how Staff personal data is processed and protected.

1.4 This Data Protection Policy applies to all Staff (“you”, “your”). You must read, understand and comply with this Data Protection Policy when processing Personal Data on Chaser’s behalf and attend data protection training when requested. This Data Protection Policy sets out what Chaser expects from you in order for Chaser to comply with applicable law (and although not all sections of this policy may be relevant to all Staff, you should make sure you read and understand all of this Policy). Your compliance with this Data Protection Policy is mandatory. If you are an employee, any breach of this Data Protection Policy may result in disciplinary action. If you are a non-employee, any breaches of this Data Protection Policy may result in Chaser terminating your contract with immediate effect.

1.5 This Data Protection Policy does not form part of an employee’s contract of employment and may be amended from time to time. This Data Protection Policy (together with Related Policies) is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the Data Protection Lead.

2. Purpose and scope

2.1 The types of Personal Data that Chaser may be required to handle includes information about current, past and prospective customers, business contacts, employees, Staff, and other individuals Chaser communicates or engages with. Personal Data, which may be held on paper, electronically, or other formats, is subject to certain legal safeguards specified in the Data Protection Laws.

2.2 Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. Chaser is exposed to potential fines of up to £17.5 million or 4% of Chaser’s total annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of Data Protection Laws. Personal Data Breaches also carry the risk of significant civil sanctions for individuals and in some circumstances, can amount to a criminal offence.

2.3 We are not required under Data Protection Laws to have a Data Protection Officer, but we have appointed a Data Protection Lead. The Data Protection Lead is responsible for overseeing this Data Protection Policy and developing Related Policies. That post is held by Dean Norris and can be contacted on privacy@chaser.io. 

2.4. Please contact the Data Protection Lead with any questions about the operation of this Data Protection Policy, how it applies to your role or Data Protection Laws or if you have any concerns that this Data Protection Policy is not being followed. In particular, you must always contact the Data Protection Lead in the following circumstances:

2.4.1 if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by Chaser) (see Section 5.1 below);2.4.2 if you need to rely on Consent;
2.4.3 if you need to draft privacy notices;
2.4.4 if you need any assistance dealing with any rights exercised by a Data Subject;
2.4.5 if you are unsure about the retention period for the Personal Data being processed;
2.4.6 if you are unsure about what security or other measures you need to implement to protect Personal Data;
2.4.7 if you need help with any contracts or other areas in relation to sharing Personal Data with third parties;
2.4.8 if there has been a Personal Data Breach;
2.4.9 if you are unsure on what basis to transfer Personal Data outside the UK;
2.4.10 whenever you are engaging in a significant new, or change in, processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than those for which it was collected;
2.4.11 if you need help complying with applicable law when carrying out direct marketing activities; or
2.4.12 if there is anything in this Data Protection Policy that you do not understand or need support with.

3. Definitions

Automated Decision Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual;

Consent: agreement must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of Personal Data relating to them;

Criminal Records Information: means personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures;

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce high risk data processing activities. DPIAs should be conducted for all major system or business change programmes involving the processing of Personal Data and the circumstances detailed in Section 16;

Data Controller: an entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this case this is Chaser unless defined otherwise.

Data Processor: includes any person or organisation that processes Personal Data on behalf of a Data Controller and in accordance with the Data Controller’s instructions;

Data Protection Laws: the Data Protection Act 2018, the General Data Protection Regulation (EU) (2016/679) as retained and implemented into domestic legislation by the Data Protection Act 2018 (known as ‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (known as ‘PECR 2003’), the Data (Use and Access) Act 2025 and other domestic legislation relating to the processing of Personal Data as they may be enacted, amended or replaced from time to time. Personal Data is subject to the legal safeguards specified in Data Protection Laws;

Data Protection Officer: shall be an individual appointed to oversee Chaser’s compliance with Data Protection Laws;

Data Subject: means the individual to whom the personal information relates;

Explicit Consent: Consent which requires a very clear and specific statement (that is, not just action);

ICO: Information Commissioner’s Office, subsequently to be known as the Information Commission;

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that Chaser can identify (directly or indirectly) from that data alone or in combination with other identifiers that Chaser can reasonably access;

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical administrative or organisational safeguards that Chaser or Chaser’s third party service providers put in place to protect it, for example and without limitation: loss or theft of data or equipment on which personal information is stored; unauthorised access to or use of personal information either by a member of staff or third party; loss of data resulting from an equipment or systems (including hardware and software) failure; human error, such as accidental deletion or alteration of data or sending data to the wrong person; unforeseen circumstances, such as a fire or flood; deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it;

process, processing, processed: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties;

pseudonymisation or pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms (for example replacing names with reference numbers) so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure;

Related Policies means Chaser’s Information Security Policy, Retention Policy and Data Breach Policy as updated and communicated from time to time.

Special Category Data: means personal data revealing an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and includes genetics information, biometric data (where used to identify an individual) and data concerning an individual’s health, sex life or sexual orientation, or as updated from time to time by Data Protection Laws; and

Staff: current and former employees, workers, agency staff, contractors, consultants and other temporary staff engaged by Chaser.

4. Data protection principles

4.1 Chaser will comply with the following data protection principles when processing personal information:

  • 4.1.1 we will process personal information lawfully, fairly and in a transparent manner;
  • 4.1.2 we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
  • 4.1.3 we will only process the personal information that is adequate, relevant and necessary for the relevant purposes;
  • 4.1.4 we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information are deleted or corrected without delay;
  • 4.1.5 we will keep personal information in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
  • 4.1.6 we will take appropriate technical and organisational measures to ensure that personal information are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

5. Basis for processing personal information

5.1 Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

5.2 Personal Data will only be collected, processed and shared fairly and lawfully and for specified purposes. Data Protection Laws set out and restrict the different lawful purposes that Chaser can use to process Personal Data. These restrictions are not intended to prevent processing, but ensure that Chaser processes Personal Data fairly and without adversely affecting the Data Subject.

5.3 Data Protection Laws allows processing for specific purposes (lawful bases), some of which are set out below:

5.3.1 the Data Subject has given their Consent;

5.3.2 the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

5.3.3 that the processing is necessary for compliance with a legal obligation to which Chaser is subject;

5.3.4 that the processing is necessary for the protection of the vital interests of the Data Subject or another natural person; or

5.3.5 that the processing is necessary for the purposes of legitimate interests of Chaser or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the Data Subject.

5.4 Processing may also be carried out under the "Recognised Legitimate Interests" lawful basis, as introduced by the Data (Use and Access) Act 2025. This includes processing for crime prevention, safeguarding, responding to emergencies and other defined purposes. Where we rely on this basis, we will document our justification and ensure appropriate safeguards are in place.

5.5 Except where the processing is based on Consent, Chaser will satisfy itself that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose) and will take the following steps:

5.5.1 document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;

5.5.2 include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);

5.5.3 where Special Category Data is processed, also identify a lawful special condition for processing that information, and document it; and

5.5.4 where criminal offence information is processed, also identify a lawful condition for processing that information, and document it.

  •  

6. Consent

6.1 A Data Subject Consents to processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity shall not be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.

6.2 Data Subjects must be easily able to (and be aware that they can) withdraw Consent to processing at any time and withdrawal must be promptly honoured. Consent may need to be obtained again if Chaser intends to process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first provided Consent.

6.3 Where Chaser processes Special Category Data, it must ensure that the processing complies with the requirements of Data Protection Laws, including identifying an appropriate condition for processing. Where Explicit Consent is identified as the appropriate condition, Chaser must issue a privacy notice to the Data Subject and obtain their Explicit Consent before processing.

7. Transparency (notifying data subjects)

7.1 Data Protection Laws require Chaser to provide detailed, specific information to Data Subjects (depending on whether the information was collected directly from Data Subjects or from elsewhere). This includes informing them that their calls are being recorded. Such information must be provided through appropriate privacy notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

7.2 Whenever Chaser collects Personal Data directly from Data Subjects, including for human resources or employment purposes, Chaser must provide the Data Subject with all the information required by Data Protection Laws including but not limited to the identity of the Data Controller and the data protection lead, how and why Chaser will use, process, disclose, protect and retain that Personal Data through a privacy notice which must be presented when the Data Subject first provides the Personal Data.

7.3 When Personal Data is collected indirectly (for example, from a third party or publicly available source), Chaser must provide the Data Subject with all the information required by Data Protection Laws as soon as possible after collecting/receiving the data. Chaser must also check that the Personal Data was collected by the third party in accordance with Data Protection Laws and on a basis which contemplates Chaser’s proposed processing of that Personal Data.

8. Data subject rights

 

8.1 Data Subjects have rights when it comes to how Chaser handles their Personal Data and can exercise these rights at any time. These include rights to:

The right

What this means for the Data Subject

The right to access

The right to be provided with a copy of their personal data.

The right to have their information corrected (“right to rectification”)

The right to require Chaser to correct any mistakes in their Personal Data.

The right to have their information deleted (“right to erasure” or the “right to be forgotten”)

The right to require Chaser to delete their personal data – in certain circumstances.

The right to object

The right to object:

  • at any time to their personal data being processed for direct marketing (including profiling).
  • in certain other situations to Chaser’s continued processing of their personal data (e.g., processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims).

The right to restrict processing

The right to require Chaser to restrict processing of their Personal Data in certain circumstances.

The right to data portability

The right to receive the personal data provided to Chaser, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain circumstances.

The right to withdraw their Consent at any time

If Data Subjects have provided Chaser with Consent to use their personal data, they have a right to withdraw that Consent easily at any time.

The right to complain

Data Subjects can raise a complaint with Chaser directly if they believe there has been an infringement of Data Protection Laws. Chaser has to investigate and provide the complainant with a response.


8.2 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation). You must immediately forward any Data Subject request you receive to the Data Protection Lead.

9. Special category data

9.1 Chaser may from time to time need to process Special Category Data. We will only process Special Category Data if:

9.1.1 we have a lawful basis for doing so as set out in paragraph 5.3 above, e.g. it is necessary for the performance of the employment contract, to comply with Chaser's legal obligations or for the purposes of Chaser's legitimate interests; and

9.1.2 one of the special conditions for processing sensitive personal information applies, e.g.:

9.1.2.1 the Data Subject has given Explicit Consent;

9.1.2.2 the processing is necessary for the purposes of exercising the employment law rights or obligations of Chaser or the Data Subject;

9.1.2.3 the processing is necessary to protect the Data Subject's vital interests, and the Data Subject is physically incapable of giving Consent;

9.1.2.4 processing relates to personal data which are manifestly made public by the Data Subject;

9.1.2.5 the processing is necessary for the establishment, exercise or defence of legal claims; or

9.1.2.6 the processing is necessary for reasons of substantial public interest.

9.2 Before processing any Special Category Data, Staff must notify the Data Protection Lead of the proposed processing, in order that they may assess whether the processing complies with the criteria noted above.

9.3 Special Category Data will not be processed until:

9.3.1 the assessment referred to in paragraph 9.2 has taken place; and

9.3.2 the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

9.4 Chaser will not carry out automated decision-making (including profiling) based on any individual's Special Category Data.

9.5 In relation to Special Category Data, Chaser will comply with the procedures set out in paragraphs 9.6 and 9.7 below to make sure that it complies with the data protection principles set out in paragraph 4 above.

9.6 During the recruitment process: senior management will ensure that (except where the law permits otherwise):

9.6.1 during the short-listing, interview and decision-making stages, no questions are asked relating to Special Category Data, e.g. race or ethnic origin, trade union membership or health;

9.6.2 if Special Category Data is received, e.g. the applicant provides it without being asked for it within their CV or during the interview, no record is kept of it and any reference to it is immediately deleted or redacted;

9.6.3 any completed equal opportunities monitoring form is kept separate from the individual's application form, and not be seen by the person shortlisting, interviewing or making the recruitment decision;

9.6.4 'right to work' checks are carried out before an offer of employment is made unconditional, and not during the earlier short-listing, interview or decision-making stages;

9.6.5 we will only ask health questions once an offer of employment has been made.

9.7 During employment: senior management will process:

9.7.1 health information for the purposes of administering sick pay, keeping sickness absence records, monitoring staff attendance and facilitating employment-related health and sickness benefits;

9.7.2 Special Category Data for the purposes of equal opportunities monitoring and pay equality reporting (where possible this will be anonymised); and

9.7.3 trade union membership information for the purposes of staff administration and administering 'check off'.

 

10. Criminal records data

Please see Special Category Data Section for more details.

 

11. Purpose Limitation

11.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

11.2 Chaser cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless Chaser has informed the Data Subject of the new purposes and they have Consented where necessary, or where an exemption applies e.g. where further processing is undertaken for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

11.3 When assessing whether Personal Data for a new purpose is compatible with the purpose for which it was collected ("assessed compatibility"), Chaser will take the following into account: (a) any link between the original purpose and the new purpose; (b) the context in which the Personal Data was collected, including Chaser's relationship with the Data Subject; (c) the nature of the processing (and in particular, whether it includes any Special Category Data, or criminal offence data); (e) the possible consequences of the intended processing for the affected Data Subject(s); and (f) the existence of appropriate safeguards, such as encryption.

11.4 Processing for a new purpose will be deemed compatible with Chaser's original purpose ("deemed compatibility"), where: (a) the data subject has consented and the new purpose is specified, explicit and legitimate; (b) the processing meets a condition in Annex 2 of the GDPR; or (c) the processing is necessary to safeguard an objective listed in Article 23(1)(c) – (j) GDPR and is authorised by an enactment or rule of law.

12. Data Minimisation

12.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

12.2 You may only collect Personal Data that you require for your job duties: do not collect excessive data that is not necessary to achieve the purpose. Ensure any Personal Data collected is adequate and relevant for the intended purposes and that you only process Personal Data when performing your job duties which require it.

12.3 You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with Chaser’s Data Retention Policy.

13. Accuracy

13.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

13.2 You will ensure that the Personal Data we use, and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards (where applicable) and take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data. In terms of your own Personal Data, you should let the HR team know if the information you have provided to us changes, for example, if you move house or change details of the bank or building society account to which you are paid.

14. Storage Limitation

14.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is Processed.

14.2 You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

14.3 Chaser will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.

14.4 You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with Chaser's Data Retention Policy. This includes requiring third parties to delete such data where applicable.

14.5 You will ensure Data Subjects are informed of the period for which Personal Data is stored and how that period is determined in any applicable Privacy Notice.

 

15. Protecting Personal Data

15.1.1 Personal Data must be kept secure by using appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

15.1.2 We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

15.1.3 You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Special Category Data from loss and unauthorised access, use or disclosure and you must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction.

15.1.4 If you identify any failures or errors with any of our security measures or errors, including other Staff not following our measures, you must inform our Data Protection Lead as soon as possible.

15.1.5 You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

15.1.5.1 Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.

15.1.5.2 Integrity means that Personal Data is accurate and suitable for the purpose for which it is Processed.

15.1.5.3 Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

15.2 Sharing Personal Data and Data Processing Agreements

15.2.1 We are required to comply with obligations under Data Protection Laws where we use third parties to Process Personal Data on our behalf (including but not limited to IT software providers and HR payroll providers). In these circumstances, these parties will be acting as our Data Processor and Data Protection Laws requires us to put in place a contract in writing which contains a number of provisions to help safeguard the Personal Data. If you are responsible for the drafting or negotiation of contracts with Data Processors, you must seek further advice from the Data Protection Lead to ensure the contracts contain all the necessary data protection provisions.

15.2.2 Where we share Personal Data with third parties for their own use (and they will not be processing data on our behalf as a Data Processor) it will often be necessary to enter into a data sharing agreement. We need to ensure that such agreements contain certain provisions such as the third party will only Process the Personal Data for specific purposes, to return the Personal Data to us in certain circumstances and have adequate security measures in place. If you are required to enter into a data sharing agreement, you must seek further advice from the Data Protection Lead.

15.2.3 In all cases, we may only share the Personal Data we hold provided the sharing complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained.

16. Privacy by design and data protection impact assessment (DPIAS)

16.1 We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.

16.1.1 You must assess what Privacy by Design measures can be implemented on all programmes/systems/processes that Process Personal Data by taking into account the following:

16.1.1.1 the state of the art;

16.1.1.2 the cost of implementation;

16.1.1.3 the nature, scope, context and purposes of Processing; and

16.1.1.4 the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.

16.1.2 Please seek advice from the Data Protection Lead when you are considering any Privacy by Design measures.

DPIAs

16.2 Data Controllers must also conduct DPIAs in respect to high risk processing. The Data Protection Lead will be able to advise you on how to conduct a DPIA.

16.3 You should conduct a DPIA (and discuss your findings with the Data Protection Lead) when implementing major system or business change programs involving the processing of Personal Data including:

16.3.1.1 use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

16.3.1.2 automated processing including profiling and ADM which have legal or similarly significant effect on Data Subjects;

16.3.1.3 large scale processing of Special Category Data; and

16.3.1.4 large scale, systematic monitoring of a publicly accessible area.

16.4 A DPIA must include:

16.4.1.1 a description of the processing, its purposes and the Data Controller's legitimate interests if appropriate;

16.4.1.2 an assessment of the necessity and proportionality of the processing in relation to its purpose;

16.4.1.3 an assessment of the risk to individuals; and

16.4.1.4 the risk mitigation measures in place and demonstration of compliance.

See ICO guidance for further information on how to undertake DPIA's (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/)


Automated Processing (Including Profiling), AI And Automated Decision-Making

16.5 Automated decision-making (ADM) is when a decision is made which is based solely on automated processing (including profiling) and produces legal effects or similarly significant effects on an individual. For example, where a bank uses an algorithm to assess a customer's creditworthiness which automatically approves or rejects a loan application without any human involvement.

16.6 Changes in Data Protection Laws mean that Chaser can now utilise ADM without always requiring the express Consent of an individual. However, ADM is prohibited where: (a) the lawful basis for processing is recognised legitimate interests; or (b) the decision is based entirely or partly on processing Special Category Data and it is solely automated. However, ADM will not be prohibited in these circumstances where: (i) the data subject has given Explicit Consent; or (ii) the processing is necessary for reasons of substantial public interest on the basis and the decision is: (1) necessary to enter into or perform a contract between the society and the data subject; or (2) required or authorised by law

16.7 Where Chaser utilises ADM, Chaser must ensure that Data Subjects are informed of such implementation of ADM. Additionally, Chaser must ensure that the Data Subjects can: (i) obtain human intervention where they have been subject to ADM; (ii) express their view in respect of the use of ADM; and (iii) contest any decisions made.

16.8 Any proposed utilisation of ADM must first be approved by the Data Protection Lead to ensure that the processing is conducted in accordance with Data Protection Law.

16.9 A DPIA must be carried out before any automated processing (including profiling) or ADM activities are undertaken which have a legal effect or similar significant effect on the Data Subject. Note that not all authorised processing will have a legal or similar effect on a Data Subject, for example, targeted advertising is generally not considered to have a significant effect on individuals.


Use of Artificial Intelligence Systems

16.10 Staff must only use AI applications (including generative AI tools, chatbots and machine learning systems) that have been expressly authorised by Chaser for business use. Unauthorised AI tools must not be used to process any information relating to Chaser's business.

16.11 Personal Data must not be entered into any AI system without the express prior authorisation of the Data Protection Lead. This includes uploading, copying, pasting or otherwise inputting Personal Data into AI tools, whether for analysis, summarisation or any other purpose.

16.12 Before any AI system is deployed or used for processing Personal Data, Staff must ensure that a DPIA has been completed and approved by the Data Protection Lead, particularly where the AI system involves profiling, automated decision-making or large-scale processing.

16.13 Staff must not rely solely on outputs generated by AI systems to make decisions that have legal or significant effects on Data Subjects without appropriate human review and oversight ('human in the loop'), and express approval from the Data Protection Lead.

16.14 Any actual or suspected Personal Data Breach arising from the use of AI systems must be reported immediately in accordance with Section 22 of this policy.

16.15 We may issue an AI Policy as a Related Policy which supplements this Policy.

17. Documents and records

17.1 We will keep written records of processing activities which are high risk, i.e. which may result in a risk to individuals' rights and freedoms or involve Special Category Data or Criminal Records Information including:

17.1.1 the name and details of our organisation (and where applicable, of other controllers, the employer's representative and DPO);

17.1.2 the purposes of the processing;

17.1.3 a description of the categories of individuals and categories of personal data;

17.1.4 categories of recipients of personal data;

17.1.5 where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;

17.1.6 where possible, retention schedules; and

17.1.7 where possible, a description of technical and organisational security measures.

17.2 As part of our record of processing activities we document, or link to documentation, on:

17.2.1 information required for privacy notices;

17.2.2 records of Consent;

17.2.3 controller-processor contracts;

17.2.4 the location of personal information;

17.2.5 DPIAs; and

17.2.6 records of Personal Data Breaches.

17.3 If we process Special Category Data or Criminal Records Information, we will keep written records of:

17.3.1 the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;

17.3.2 the lawful basis for our processing; and

17.3.3 whether we retain and erase the Personal Data in accordance with our policy document and, if not, the reasons for not following our policy.

17.4 We will conduct regular reviews of the personal information we process and update our documentation accordingly.

17.5 We document our processing activities in electronic form so we can add, remove and amend information easily.

18. Privacy Notice

18.1 Chaser will issue and/or make available privacy notices from time to time, informing you about the Personal Data that we collect and hold relating to you, how you can expect your personal information to be used and for what purposes.

18.2 We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

19. Individual Rights

19.1 All Staff, consultants, workers and contractors (whatever your location or jurisdiction) are responsible for helping Chaser keep their personal information up to date. You should let the Data Protection Lead know if the information you have provided to Chaser changes, for example if you move house or change details of the bank or building society account to which you are paid.

19.2 You may have access to Personal Data of other members of staff, suppliers and customers (including prospective and former staff, suppliers and customers) of Chaser in the course of your employment or engagement. If so, we expect you to help meet its data protection obligations to those individuals.

19.3 If you have access to personal information, regardless of your location or jurisdiction, you must:

19.3.1 only access the Personal Data that you have authority to access, and only for authorised purposes;

19.3.2 only allow other Staff to access Personal Data if they have appropriate authorisation;

19.3.3 only allow individuals who are Staff to access Personal Data if you have specific written authorisation to do so from the Data Protection Lead;

19.3.4 only share Personal Data with approved third parties and, when doing so, use appropriate security measures such as pseudonymisation, encryption or password protection;

19.3.5 keep Personal Data secure (e.g. by complying with our information security rules including on computer access, password protection and secure file storage and destruction and other precautions set out in the Chaser's information security policy);

19.3.6 not share Personal Data with any person or organisation on any device outside the UK without prior written authority from the Data Protection Lead;

19.3.7 not share Personal Data with any unapproved third-parties (including any subcontractors) without the prior written authority of the Data Protection Lead;

19.3.8 not remove Personal Data, or devices containing personal information (or which can be used to access it), from your usual place of work unless adequate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the information and the device; and

19.3.9 not store personal information on local drives or on personal devices that are used for work purposes.

19.4 You should contact the Data Protection Lead if you are concerned or suspect that one of the following has taken place (or is taking place or likely to take place):

19.4.1 processing of Personal Data without a lawful basis for its processing or, in the case of Special Category Data, without one of the conditions in paragraph 5 being met;

19.4.2 any Personal Data Breaches as set out in paragraph 22 below;

19.4.3 access to Personal Data without the proper authorisation;

19.4.4 Personal Data not kept or deleted securely;

19.4.5 removal of Personal Data, or devices containing personal information (or which can be used to access it), without appropriate security measures being in place;

19.4.6 any other breach of this policy or of any of the data protection principles set out in paragraph 4.1 above.

20. Information Security

20.1 Chaser will use appropriate technical and organisational measures in accordance with its Information Security Policy to keep Personal Data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:

20.1.1 making sure that, where possible, Personal Data is pseudonymised or encrypted especially when sending personal data to a third-party person or organisation;

20.1.2 ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

20.1.3 ensuring that, in the event of a physical or technical incident, availability and access to Personal Data can be restored in a timely manner; and

20.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

20.2 Where Chaser uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations must provide that:

20.2.1 the organisation may act only on the written instructions of Chaser;

20.2.2 those processing the data are subject to a duty of confidence;

20.2.3 appropriate measures are taken to ensure the security of processing;

20.2.4 sub-contractors are only engaged with the prior Consent of Chaser and under a written contract;

20.2.5 the organisation will assist Chaser in providing subject access and allowing individuals to exercise their rights in relation to data protection;

20.2.6 the organisation will assist Chaser in meeting its obligations in relation to the security of processing, the notification of Personal Data Breaches and data protection impact assessments;

20.2.7 the organisation will delete or return all personal information to Chaser as requested at the end of the contract; and

20.2.8 the organisation will submit to audits and inspections, provide Chaser with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell Chaser immediately if it is asked to do something infringing Data Protection Laws.

20.3 Before any new agreement involving the processing of Personal Data by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval of its terms by the Data Protection Lead.

21. Storage and Retention of Personal Information

21.1 Personal Data (and special category personal information) will, and must, be kept securely in accordance with Chaser's Information Security Policy.

21.2 Personal Data (and Special Category Data) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. Staff should follow Chaser's Data Retention Policy which set out the relevant retention period, or the criteria that should be used to determine the retention period. Where there is any uncertainty, Staff should consult the Data Protection Lead.

21.3 Personal Data (and Special Category Data) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.

22. Personal Data Breaches

22.1 In accordance with Chaser's Data Breach Policy, we need to keep a record of all Personal Data Breaches, no matter how big or small and whether they are reportable to the Information Commissioner. If you suspect, commit or become aware of a Personal Data Breach of any kind, including by one of our suppliers, you must report immediately to your Line Manager and copy in the Data Protection Lead.

22.2 In accordance with Data Protection Laws, we are required to notify Personal Data Breaches to the applicable regulator within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedom of individuals. This is when Chaser becomes aware, not the Data Protection Lead, which is why it is important that breaches are reported quickly. It will also be necessary to inform the Data Subject when a breach occurs which is likely to be a high risk to the rights and freedom of the Data Subject.

22.3 If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately notify the Data Protection Lead in accordance with paragraph above. An internal record of any data breach must also be made within our internal Breach Log which the Data Protection Lead will manage. You should preserve all evidence relating to the potential Personal Data Breach and co-operate fully with the Data Protection Lead to make sure the breach is documented.

22.4 Where we act as Data Processor for a third party, we must make the Data Controller aware of the Personal Data Breach as soon as possible. Again, this is a task for the Data Protection Lead with full co-operation from whoever has reported the Personal Data Breach.

23. International Transfer

23.1 Data Protection Laws restrict data transfers to countries outside the UK in order to ensure that the level of data protection afforded to individuals by Data Protection Laws is not undermined. You may only transfer Personal Data outside the UK if one of the following conditions applies:

23.1.1 the UK Government has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects' rights and freedoms, please see the ICO's website for details of those countries;

23.1.2 appropriate safeguards are in place such as standard contractual clauses approved by the UK Government, an approved code of conduct or a certification mechanism;

23.1.3 the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or

23.1.4 the transfer is necessary for one of the other reasons set out in the Data Protection Laws including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

23.2 If you are negotiating an agreement for Chaser that requires the transfer of Personal Data outside of the UK, you must seek further advice from the Data Protection Lead.

24. Accountability

24.1 The Data Controller must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

24.1.1 We must have adequate resources and controls in place to ensure and to document Data Protection Laws compliance including:

24.1.1.1 appointing a suitably qualified Data Protection Officer (where necessary) where the appointment of a Data Protection Officer is not a legal requirement, we must still appoint an individual/individuals with responsibility for overseeing our compliance with Data Protection Laws such as a Data Protection Lead;

24.1.1.2 implementing Privacy by Design when processing Personal Data and completing DPIAs where processing presents a high risk to rights and freedoms of Data Subjects;

24.1.1.3 integrating data protection into internal documents including this Data Protection Policy, Related Policies and Privacy Notices;

24.1.1.4 regularly training Staff on Data Protection Laws, this Data Protection Policy, Related Policies and data protection matters including, for example, Data Subject's rights, Consent, legal basis, DPIA and Personal Data Breaches. We must maintain a record of training attendance by Staff; and

24.1.1.5 regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

24.2 RECORD KEEPING

24.2.1 Data Protection Laws requires us to keep full and accurate records of all our data processing activities.

24.2.2 You must keep and maintain accurate corporate records reflecting our processing including records of Data Subjects' Consents.

24.2.3 We must also keep records of the name and contact details of the Data Controller and the Data Protection Lead, clear descriptions of the Personal Data types, Data Subject types, processing activities, processing purposes, third-party recipients of the Personal Data, Personal Data transfers outside the UK and the safeguards put in place to protect the transfer of such Personal Data, the Personal Data's retention period and a description of the security measures in place.

24.2.4 Our data processing records must always be kept up to date. Please see ICO guidance for further details regarding the information we must record: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/

24.2.5 We will conduct regular reviews of the Personal Data we process and update our documentation accordingly. This may include:

24.2.5.1 carrying out information audits to find out what Personal Data Chaser holds;

24.2.5.2 distributing questionnaires and talking to Staff across Chaser to get a more complete picture of our processing activities; and/or

24.2.5.3 reviewing our policies, procedures, contract and agreements to address areas such as retention, security and data sharing.

25. Training

25.1 Chaser will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

26. Direct marketing

26.1 We are subject to certain rules and privacy laws when marketing to our customers.

26.2 For example, a Data Subject's prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as "soft opt in" allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

26.3 The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

26.4 A Data Subject's objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

27. Consequences of failing to comply

27.1 Chaser takes compliance with this policy very seriously. Failure to comply with the policy:

27.1.1 puts at risk the individuals whose Personal Data is being processed; and

27.1.2 carries the risk of significant civil and criminal sanctions for the individual and Chaser; and

27.1.3 may, in some circumstances, amount to a criminal offence by the individual.

27.2 Because of the importance of this policy, an employee's failure to comply with any requirement of it may lead to disciplinary action under our procedures, and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.

27.3 If you have any questions or concerns about anything in this policy, do not hesitate to contact the Data Protection Lead.

28. Changes To This Data Protection Policy

28.1 We reserve the right to change this Data Protection Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Data Protection Policy. We last revised this Data Protection Policy in April 2026.

28.2 This Data Protection Policy does not override any applicable national Data Protection Laws.