A Royal Bank of Scotland Group referral

All Employees of Corporate Asset Solutions Limited (CAS) who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured. The personal data we collect from you will be used for the following purposes: • To obtain your contact details to enable us to contact you about the performance of your contract with us. • To assess your financial position and affordability. • To obtain credit references from credit reference agencies. • To arrange insurance on goods – if applicable to the contract you have entered into with us. By consenting to this, you are giving us permission to perform those actions. You may withdraw consent at any time. Your Rights as a Data Subject • You may withdraw your consent at any time • You have the right to access your personal information • You have the right to rectify your personal data • You have the right to have your personal data erased • You have the right to restrict processing • You have a right to lodge a complaint with the Information Commissioner’s Office.

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. General Data Protection Regulation of May 2018 Special Categories of Personal Data Certain data is classified under the Regulation as ”special categories”: • Racial • Ethnic origin • Political Opinions Religious Beliefs • Trade-union membership • Genetic Data • Biometric Data • Health Data • Data Concerning a natural person’s sex life • Sexual orientation • Other Consent is required for CAS to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.

In order for us to provide you with services, we need to collect personal data for correspondence purposes and/or detailed service provision. In any event, we are committed to ensuring that the information we collect, and use is appropriate for this purpose, and does not constitute an invasion of your privacy. We may pass your personal data on to Third Party service providers who are contracted to CAS in the course of dealing with you. Our contractors are obliged to keep your details securely and use them only to fulfil the service requested. Once your service need has been satisfied or the case has been closed, they will dispose of the details in line with our firm’s procedures. If we wish to pass your sensitive personal data onto a third party not contracted to provide the service requested, we will only do so once we have obtained your consent, unless we are legally required to do so. How CAS uses your information? CAS will process – that means collect, store and use – the information you provide in a manner that is compatible with the General Data Protection Regulation of May 2018 (GDPR). We will endeavor to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, the law sets the length of time information has to be kept, but in most cases, we will use our discretion to ensure that we do not keep records outside of our normal business requirements. Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.