Carnoisseur Website

Call now

01582 690 262

Monday to Friday 9am to 5:30pm
Saturday By Appointment

Data Protection & Privacy Policy – Maxi-Lease Ltd


Copyright 2021 Maxi-Lease Ltd t/a Carnoisseur Leasing. All Rights Reserved. All text, images, graphics and other materials on this website are subject to the copyright and other intellectual property rights of Maxi-Lease Ltd. These materials may not be reproduced, distributed, modified or reposted to other websites without the express written permission of Maxi-Lease Ltd.


Maxi-Lease Ltd is committed to making its websites accessible to all users. We are currently undertaking an extensive redevelopment to ensure that this website meets recognised accessibility standards



The information contained herein is designed to be as comprehensive and factual as possible. We reserve the right, however, to make changes at any time, without notice, in prices, colours, materials, equipment, specifications, models and availability.

Some links provided in this site may lead to sites furnished by independent site owners. The information presented therein is the sole responsibility of those site owners. Maxi-Lease Ltd has no control or responsibility for the content of independent sites and provides these links to its visitors for their convenience.
Carnoisseur Leasing WWW Site Terms and Conditions of Access: This World Wide Website (the "Site") is operated by Maxi-Lease Ltd, The Mansion House, Wrest Park, Bedfordshire, MK45 4HR.

Intellectual Property


All materials within the Site are the intellectual property of Maxi-Lease Ltd. Such materials may not be copied or reproduced, save to the extent necessary to view the same on-line. However, you may print complete pages of the site to hard copy for your own personal use

Linking to the Site


If you wish to provide a link to the Site initially you must gain the permission of Maxi-Lease Ltd and only link to the Carnoisseur Leasing Homepage.

Accuracy of Information


The information in this site is intended for customers of Maxi-Lease Ltd t/a Carnoisseur Leasing in the United Kingdom and may not be applicable to other jurisdictions. Maxi-Lease Ltd will use reasonable endeavours to ensure that the contents of this Site are accurate and up to date, E&OE. However, Maxi-Lease Ltd reserves the right to change product specifications at any time.


1 Data Protection

1.1 Introduction
The Data Protection Act 1998 regulates data use and how firms use personal data of individuals.
This includes customers, non-customers and employees. It governs not only information held on
computer but also information held in manual form (e.g. on file).

1.2 The Data Protection Information Commissioner
The Data Protection Information Commissioner enforces and oversees the Data Protection Act 1998.
The Commissioner has a range of duties including the promotion of good information handling and
the encouragement of Codes of Practice for the data controllers, that is, anyone who decides how and
why personal data are processed.
The Commissioner is a UK independent supervisory authority reporting directly to the UK Parliament.
The information provided within this procedural manual is drawn from the requirements laid down by
the Office of the Information Commissioner.
Further information is available from visiting the Information Commissioner’s website at

1.3 Why Data is Important
With the growth in the use of personal data it is essential that wherever personal data is collected and
used, people’s lives can be adversely affected if something goes wrong. For example if details are
not entered correctly people can be unjustly refused credit, benefits, housing or even a job. If data
are not kept securely people’s privacy can be affected.
It is therefore essential that those that collect and use personal data to maintain the confidence of
those who are asked to provide it by complying with the requirements of the Data Protection Act.
All Data Controllers must comply with the eight principles that are at the heart of the Act, including the
requirement to obtain and process data fairly.

1.4 Individual Rights
Under the Act any individual concerned has a right to see almost all personal information held about
them, whether it is stored on computer or in manual form. In the event of receiving a so-called ‘subject
access request’ please refer to ‘Subject Access Procedures’.

1.5 Accuracy
The Act places an obligation to ensure the accuracy of an individual’s personal data. Such
information should not be misleading as to any matter of fact.

1.5.1 Personal obligations of all staff
All Maxi-Lease staff who deal with personal information are required to handle that
information confidentially and sensitively
Maxi-Lease staff undertake to process personal data supplied by the firm only in accordance
with the firm’s instructions
Maxi-Lease staff obligations in respect of the Data Protection Act form part of their contract of

1.6 The Data Protection Principles
The 1998 Act sets out 8 principles, which define the obligations of the firm as a registered data user of
personal data. These principles are as follows: -
1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not
be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date
5. Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act
7. Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against loss of destruction of, or damage to,
personal data
8. Personal data shall not be transferred to a country or territory outside the European Economic
Area other than those countries which are deemed to have an adequate level of protection for
Personal data covers both facts and opinions about the individual. It also includes information
regarding the intentions of the Data Controller towards the individual.

1.7 Requirements of the Principles

1.7.1 First Principle
‘Personal data shall be processed fairly and lawfully’
Maxi-Lease must ensure that the processing is fair and lawful. Where the data is obtained from the
data subject Maxi-Lease must ensure that the data subject is provided with, or have made readily
available to them at the time of obtaining the data: the identity of Maxi-Lease the purpose for
processing other necessary information as circumstances require to ensure that the processing is fair
Maxi-Lease application forms should take into account the following requirements:
The data subject has given their consent to the processing
The processing is necessary for the performance of a contract with the individual to which
Maxi-Lease and data subject is a party
The processing is necessary to comply with legal obligations
The processing is necessary in order to protect the vital interests of the data subject
The processing is necessary for the administration of justice
The processing is necessary to pursue the legitimate business interest of the firm
Maxi-Lease will only need to hold or process customer’s personal data for business needs for
example the need to carry out a credit search in respect of an application for a loan. The customer
would have been requested to sign our standard declaration in order for their consent to be provided.

1.7.2 Second Principle
‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be
further processed in any manner incompatible with that purpose or those purposes’
This principle differs from the 1984 Act. It is no longer the case that personal data can be used for
any purpose as long as it is for a purpose as described in the Maxi-Lease’s register entry.

1.7.3 Third Principle
‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes
for which they are processed’
Personal data held for specific purposes must be more than sufficient for the purpose or purposes.
It would therefore not be sufficient to hold information on the basis that one day it may be useful,
without a firm idea of how it will be used.

1.7.4 Fourth Principle
‘Personal data shall be accurate and, where necessary, kept up to date’
All reasonable steps must be taken to ensure the accuracy of data at all times.
Maxi-Lease must have controls in place to ensure that in the event of inaccurate personal data being
identified procedures will exist to allow for information to be rectified, blocked or destroyed.

1.7.5 Fifth Principle
‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary
for that or those purposes’
Maxi-Lease has a document retention policy that sets out the minimum time in which
documents should be retained.
This has been formulated in line with legal and regulatory requirements.

1.7.6 Sixth Principle
‘Personal data shall be processed in accordance with the rights of data subjects under this Act’
This principle covers the requirement of Data Controllers to provide individuals with Rights of
Access to personal data
The data subject may submit a subject access request in writing or by electronic means to
Maxi-Lease. See Subject Access Request procedures
Data Subject Access Requests should be referred immediately to Compliance
Maxi-Lease must respond to the request in any event within 40 days as long as the
prescribed fee of £10 has been paid
Maxi-Lease has satisfied itself as to the identity of the person making the request
In addition principle 6 covers how individuals have a right to be made aware of how their personal
information is used and by whom it is used.
Under Data Protection Legislation, Maxi-Lease must be able to prevent processing of data where the
individual objects in writing. For example a customer may request not to receive any direct marketing
material from the Maxi-Lease or wish to have personal details passed through to a third party.
Maxi-Lease must have systems in place to suppress this type of information being sent out to their

1.7.7 Seventh Principle
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against loss or destruction of, or damage to, personal data’
Maxi-Lease has taken measures to ensure that only authorised persons have access to
personal data and these persons act only as mandated. Passwords giving access to data are
frequently changed
All reasonable steps are taken to ensure that appropriate security measures are in place to
safeguard against unauthorized or unlawful processing of personal data
All staff that has access to personal data is deemed to be reliable and training and measures
have been put in place
Staff only access and use data that is necessary to perform their job function

1.7.8 Eighth Principle
‘Personal data shall not be transferred to a country of territory outside the European Economic Area
without adequate protection.
Where processing across more than one national boundary is undertaken, it is necessary to
determine which law applies to which processing operation
The UK law will apply to processing by a controller established in the UK
Consent of the data subject is required when data is transferred to countries outside the EEA,
where protection is inadequate and where the transfer does not fall under any of the exempt
When assessing ‘adequacy of protection’, all circumstances surrounding the data transfer should be
considered (e.g. the nature of the data, the purposes and timescales of the processing etc.).

1.8 Processing Personal Data
Processing of personal data can be broadly defined when any operation is carried out on personal
data. The Act requires that personal data be processed ‘fairly and lawfully’. Personal data will not be
considered to be processed fairly unless certain conditions have been met.
Processing may only be carried out where one of the following conditions has been met:
The individual has given his or her consent to the processing
The processing is necessary for the performance of a contract with the individual
The processing is necessary to protect the vital interests of the individual
The process is necessary to carry out public functions

1.9 Collecting Personal Data
When collecting personal data it is essential that people know:
Who you / we are
What the data will be used for
To whom it will be disclosed
This information can often be provided on an application form or similar document.
Data Protection wording is included within the firm’s application package, which when signed by the
customer provides necessary comments for processing the customer’s data.
When handling, collecting, processing or storing personal data staff must ensure that:
All personal data is both accurate and up to date
Errors are corrected effectively and promptly
The data is deleted/destroyed when it is no longer needed
The personal data is kept secure at all times (protecting from unauthorized disclosure or
The Data Protection Act is considered when setting up new systems or when considering use of the
data for a new purpose. Any changes could affect the company’s existing registration with the Data
Protection Registrar and an amendment to the registration sought.
It is equally important not to:
Access personal data that you do not need for your work
Use the data for any purpose it was not explicitly obtained for
Keep data that would embarrass or damage Maxi-Lease if disclosed (e.g. via a subject
access request)
Transfer personal data outside of the European Economic Area unless you are certain you
are entitled to or consent from the individual concerned has been obtained
Store / process / handle sensitive data unless you are certain you are entitled to or consent
from the individual concerned has been obtained.

1.10 Rights of Individuals ‘Subject Access’ and ‘Subject Rights’
The Data Protection Act enables individuals who are the subject of personal data a general right of
access to the personal data, which relates to them.
Personal data may take the form of computerised or, in some cases, paper records. These rights are
known as ‘subject access rights’.

1.10.1 Individuals, who the data relates to, have various rights:
To receive a request (a ‘subject access request’) details of the processing relating to them.
This includes any information about themselves including information regarding the source of
the data
To have any inaccurate data corrected or removed
In certain circumstances to stop processing likely to cause ‘substantial damage or substantial
To prevent their data being used for advertising or marketing
Not to be subject to certain ‘fully automated decisions’ if they significantly affect him / her
When a subject access request is received, it is important to:
Treat the requester with courtesy and try to understand what exactly is being sought
Act promptly and effectively as certain timescales are imposed regarding response
What is a Subject Access Request?
Often a customer will not have heard of the term ‘Subject Access Request’. Staff should be able to
distinguish between a casual enquiry and a ‘Subject Access Request’.
A Subject Access Request is not, for example, where:-
A customer wishes to know something specific about their bank account, such as their
balance or transaction details
A customer wishes to raise a complaint. In these circumstances the normal complaints
procedure should be followed
A Subject Access Request is where:
A customer wishes to be provided with personal data that the firm holds about them
Subject Access Requests
It is important that subject access requests are recognised and dealt with quickly.
A subject access request may be as simple as a letter from one the firm’s customers asking what
information we hold about them.
If a request is received the enquirer must be sent:
A copy of the information held on them, this includes both computer and relevant written
paper records
A description provided as to why that information is processed
Anyone it may be seen by or passed to
The logic involved in any automated decisions
Before any request is auctioned the Data Controller should verify the identity of the person making the
Subject access requests must be dealt with within 40 days from the date of receipt. If further details
are needed from the person making the request to assist with finding the data the 40 days will begin
when the extra information is received.
A maximum fee of £10 can be imposed and the 40 days will not commence until the fee has been
All information sent in response to a subject access request should be easy to understand and
therefore the sending of computer printouts may not be acceptable without a covering explanation on
codes used.

1.10.2 Identifying the Customer
Subject Access Requests
Maxi-Lease are not obliged to comply with a subject access request until sufficient information to
clearly identify the individual requesting the file has been given. Before releasing data staff should
satisfy themselves as to the identity of the customer. This is important to Maxi-Lease, as releasing
information to the wrong person is likely to amount to a breach of security.
Any of the documents listed below may be used to identify the customer(s):
A bank, building society or credit card statement
A store card or catalogue statement
A utility bill
All documents must be original, not photocopies, and dated within the last three months. It must
show the customer’s full name or first initial, surname and current address.
It is important that all documentation is returned to the customer once identity has been verified.
In the rare circumstances where the customer is unable to provide any of the above items, they must
provide a letter confirming their identity. This must be an original, typed or headed paper, dated
within the last three months and authenticated with an official stamp if applicable. This should be
from an employer, solicitor or other professional body or person.
Telephone requests for information
It is important not to release any personal information to customers before you have established their
identity. Requests should be treated with great care, particularly as the issues of proof of identity are
difficult to manage.
The steps that need to be taken to verify the identity of the customer will depend upon the type of
information, and possibly the customer.
Although wherever possible access to a data subject’s personal information should be provided
‘without excessive constraints or delay’. This needs to be balanced against the responsibilities of the
data controller to safeguard personal information and to avoid giving personal data to another
Therefore, depending on the circumstances, staff should be asking customers to confirm selective
information to verify identity from the following:
Confirmation of their date of birth and postal address
Confirmation of their employment record
Confirmation of their National Insurance number
If the customer requests a Subject Access report then the customer needs to be reminded that the
request needs to be put in writing, and will be dealt with in accordance with the procedures as
detailed in section 4.

1.11 Credit Reference Agencies
There are two major credit reference agencies in the UK at present. They are Experian and Equifax.
Their main purpose is to supply factual information to providers of financial services in order to
establish peoples credit histories.
Customers have a legal right to have access to the data held by credit reference agencies.
Customers also have a right to request that the agency remove/amend incorrect data. Customers
can write to the agency to obtain a copy of their credit file. Generally a small fee is payable.
Equifax Europe UK Limited Experian Plc.
PO Box 3001 PO Box 8000
Glasgow Nottingham

1.12 Consent to Obtain Credit Search
Credit searches on an individual must not be conducted without the consent of that individual. Maxi-
Lease’s policy is to obtain this consent in writing, normally as part of the application process,
however, verbal consent of the customer will be considered in certain circumstances. Staff should
contact Compliance Department if they are unsure if adequate consents have been obtained.

1.13 Processing for Direct Marketing Purposes
To comply with the requirements of the Data Protection Act all customers both new and existing have
to be given the right to opt out from receiving advertising and marketing material from the firm.
Likewise customers have to be informed if the firm intends to pass information to a third party for
marketing purposes.
Customer’s personal data is collected on application forms and the election for customers not be
receive marketing material is covered through the inclusion of an ‘opt-out’ box.

1.14 Preference Services
There are a number of marketing preference services available to customers:
The Mail Preference Service (MPS)
The Telephone Preference Service (TPS)
The Fax Preference Service (FPS)
The E-mail Preference Service (EPS)
The MPS is funded by the direct mail industry to enable customers to have their names and home
addresses in the UK removed from or added to lists used by the direct mail industry.
Firms must ensure that customers that have registered with the MPS do not receive any marketing

1.15 Third Parties and Data Processors

1.15.1 General Guidelines
Always read the contract carefully before signing
Check that you understand what each clause means and the effect of that clause
Remember – a contact is an agreement enforceable in law
Ensure that you receive a signed original of the document
Once the contract is in force, then it is the firm’s responsibility to ensure that it complies with
the term of the contract
In the event of a query reference should be made to senior management

1.16 Data Protection Act Definitions

1.16.1 Data
Automated and manual data that is recorded as part of a relevant filing system

1.16.2 Data Controller
The data controller is Compliance Officer/Nominated Officer

1.16.3 Data Protection Commissioner
This is the name for the Data Protection Registrar

1.16.4 Data Subject
The individual who is the subject of the personal data

1.16.5 Manual Data
Manual records are those which are structured by reference to individuals or criteria relating to
individuals, and which allow easy access to the personal data they contain

1.16.6 Notification
Notification by the firm of certain basic information about the data held; the purposes for which it is
held; the persons to whom it may be disclosed; a general description of the technical and
organisational steps a Data Controller takes to protect data held from unauthorised access, disclosure
or loss; and the identity of the Data Controller i.e. Compliance is responsible for ensuring that
notification / registration is completed as necessary.

1.16.7 Personal Data
This is data relating to an individual who can be identified from that data and/or other information
which is the possession of or likely to come into possession of the firm

1.16.8 Processing of Personal Data
Obtaining or recording the information to be contained in the data or carrying out an operation,
including disclosure by transmission / documentation, organisation, adaptation, alteration of the
information or data, retrieval, blocking, erasure or destruction of the data.

1.16.9 Relevant filing systems / manual data
Any set of information relating to individuals which is structured either by reference to individuals i.e.
by name/employee code etc., or by reference to criteria i.e. age job type, credit history etc. relating to
individuals so that specific information relating to an individual is readily accessible.

1.16.10 Sensitive Data
Means data pertaining to: racial or ethnic origin; religions or similar beliefs; trade union membership;
physical or mental health or sexual life; political options; criminal offices. This data may only be held
in strictly defined situations or where explicit consent has been obtained.

1.16.11 Subject Access
The right of individuals to have access to the data about them and any other related information

1.16.12 Third Party
Any person other than the firm or its staff, data subject, or data processor

Whom to Contact

If you have submitted Personal Data through the Site and would like that information deleted from our records, please contact us at our e-mail address:

[email protected]
or telephone 01582 690262

We will make every reasonable effort to delete this information from our existing files.

Law & Jurisdiction

This site was created, and is operated, according to the laws of England. In determining any disputes in relation to this site the laws of England will apply and the Courts of England and Wales will have exclusive jurisdiction.

Carnoisseur Leasing Site Terms And Conditions Of Download
Carnoisseur Leasing a company registered under the Companies Acts in England (No. 6544851) and having its registered office at The Mansion House, Wrest Park, Bedfordshire, MK45 4HR hereby grants you a non-exclusive personal licence to use the materials downloadable from the site (the "Materials") subject always to the following conditions.

The Materials are the intellectual property of Maxi-Lease Ltd. You may not sub-licence, assign, transfer or sell the Materials or the rights granted hereunder. The Materials are provided "as is". Maxi-Lease Ltd excludes to the fullest extent permitted by law all warranties in relation to the Materials.
The Materials on this site have been thoroughly scanned and tested at all stages of production. Notwithstanding this, we still recommend that you run a virus checker before use. We also recommend that you have an up-to-date backup of your hard disk before using the software. Maxi-Lease Ltd cannot accept responsibility for any disruption, damage and/or loss of data on your data or computer system that may occur while using the software. Consult your network administrator before downloading any Materials onto a networked computer.

Carnoisseur® Car & Van Leasing™
Carnoisseur® The Car Leasing Store™
Carnoisseur® The Van Leasing Store™

© Carnoisseur Leasing 2021