This privacy statement applies to you, if your personal data is processed by us:

• as a customer (i.e., end-user), if we provide, or offer to provide to you, a financial solution.
• as a partner (i.e., someone that refers customers to us, or an organisation that works with us, to develop and supply our financial products), if we seek to create or have a relationship with you.
• as a supplier, in the course of receiving products, services, or offers from you.
• as a customer, partner, supplier or other individual when you visit one of our websites, online applications or our offices.

Within the different groups, as identified above, we may apply different forms of processing. If such differentiation is applicable and deemed relevant by us, we will set that out in this privacy statement.

This privacy statement only applies to our customers, partners, suppliers and our online visitors and office visitors. If you are a job applicant or employee, you will be provided with another privacy statement covering how we manage your personal information for that relationship.

As a customer, partner, or supplier, you must not provide us with more personal information of yourself, your employees, representatives, clients, or ultimate beneficial owners (UBOs) than we might need for a given purpose.

You must also inform your employees, representatives, clients, or UBOs about your intention to transfer their personal information to us. You may refer them to this privacy statement so that they can learn how and why we process their personal data.

Our contact information is:

Privacy Officer
De Lage Landen Pty Limited
GPO Box 1540 Sydney NSW 2001
1800 259 640
privacy-anz@dllgroup.com

We are a wholly owned subsidiary of De Lage Landen International B.V., which is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (“Rabobank” and together with its subsidiaries, the “Rabobank Group”).

A Data Protection Officer (“DPO”) has been appointed for De Lage Landen International B.V. and its subsidiaries (“DLL Group”). The DLL Group DPO can be contacted by email via privacyoffice@dllgroup.com.

“Personal data” is any information directly or indirectly relating to an individual, or any information that can be used to identify an individual.

Personal data is “processed” when any activity is undertaken on your personal data, such as collection, storage, access, use, transfer, disclosure, and deletion.

For customer, partner, and supplier relationships, the personal data DLL processes mainly consists of information relating to the customer’s, partner’s, or supplier’s directors, representatives, and, if applicable, UBOs. This is because DLL predominantly enters into customer, partner, and supplier relationships with legal persons (e.g., limited liability companies and corporations), rather than with individuals. But we also process personal data of entities which are comprised of natural persons (e.g., sole traders and partnerships involving natural persons).

As part of these relationships, we may process the following personal data:

Contact and identification data
Name, address, telephone number, (business) e-mail address, copy of ID, date of birth, ABN, and copy of proof of residency.

Contract/agreement data
Contract number, contract duration, information concerning your financial situation, payment history, bank account details, risk profile, our products or services, and the process of obtaining financial services.

Data used to ensure your and our security, to prevent and investigate fraud, and to prevent money laundering and financing of terrorism
Personal data that is processed in the external and internal referral registers of Rabobank and any personal data processed in relation to credit reference agencies and in national and international sanctions lists.

Recorded calls, recordings of video chat and online chat sessions, video surveillance, and documentation of e-mails
Information concerning our conversations via telephone or in online chat sessions, inbound and outbound e-mail communications, and camera images that we record in our offices.

Data related to the use of our websites and online applications
Cookies or similar tracking technologies may collect your IP address, data about the applications and devices you use to visit our website and online applications.

We may collect personal data which is considered more sensitive, such as information relating to your racial or ethnic origin, religious affiliations, criminal history, and health/biometric data. We will only process sensitive information if necessary for the applicable purposes.

Race or ethnic background
For tax purposes and for certain anti-terrorism reasons, we may be required to record information about your country of birth. We may also have/take/store your photograph or film you on our CCTV (closed-circuit television) if you visit our offices. However, we do not register your race or ethnic background, and we do not use race or ethnic background to make decisions.

Personal data concerning criminal convictions
We may process data related to your criminal record or criminal convictions in the context of anti-money laundering, fraud prevention, and regulatory reporting which may be obtained from open sources (e.g. media searches) or sanction, fraud and crime prevention databases.

Biometric data
If you have registered your fingerprint for log-in purposes in any electronic application operated by us, we may process your biometric data for this purpose.

We may also receive your data in the following ways:

• if you apply for a financial or partner solution, either as an end-user/client or as a partner;
• if you offer a product or service to us;
• if you sell or resell a product or service of ours (for example, brokers);
• when you visit our ‘DLL Group’ website (for further details, see Cookie Statement);
• by receiving it from third parties (e.g. personal data we receive from our Partners, companies register, credit reporting bodies and personal data that we receive from companies to which you have given consent to share your data with us);
• if you enter your personal data on our website with the request to contact you;
• via email or telephone (if you contact us);
• when you visit a DLL office via our visitor-registration;
• from affiliates within the Rabobank Group (see chapter 11).

Depending on the purposes for which we process your personal data, the lawful ground may differ.

Consent
You give us your permission to use your data.

Legal obligation
Legally, we are obliged to process your personal data.

Contractual necessity
We need your personal data to enter into a contract with you and comply with our contractual commitments to you.

Legitimate interest
We have a legitimate interest in processing your personal data, which is not outweighed by your interests, fundamental rights, and freedoms. For example, DLL has a legitimate interest in processing your personal data when requesting you to complete a survey on how we can improve our services.

When you (as a customer or a partner on behalf of a customer) obtain a quote from us to finance an asset
You may contact us directly for a quote for a finance product, such as a lease, hire purchase, or loan, in relation to an asset you are purchasing, or one of our partners may contact us to provide you with a quote. Minimal personal data, is collected along with the information about the asset you are buying to provide a provisional quote. We will also process the contact details of the partner who obtains the quote from us.

When you (as a customer or a partner on behalf of a customer) make an application for a finance product
If a quote is accepted and you wish to make an application, we need to process your personal data, such as your name, contact details, bank details, identity verification, and any supporting evidence requested by us. We will also process the contact details of the partner who sends an application to us.

When we establish a new relationship with you as a partner or supplier
If we establish a new partner or supplier relationship, then we will process the personal data of the relevant employees and the representatives of that partner or supplier in the administration of the new relationship and as part of our due diligence checks.

When we undertake credit decisions
We assess your credentials from a risk perspective and validate whether you can fulfil the payment obligations under the contract. This method is called credit decisioning, which is based on an automated process and uses data collected from publicly available sources and credit reference agencies. More details are described in Chapter 9.

In some instances, we will also review your payment history of any prior contractual relationships you have with us or the Rabobank Group and may request further information to evidence the financial status of your company to assist in this decision making. This may include company reports, bank statements, and data pulled from public websites.

We also undertake credit checks on partners and suppliers to manage the financial risk of our business.

When we undertake KYC/AML, identity verification, and integrity checks
We must confirm the identity of our customers, our partners, their representatives, and UBOs to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. We may do this by making a copy of identity documents, which we will only use for identification and verification purposes.

We also consult available external and internal referral registers of Rabobank, incidents registers and warning systems, and national and international sanctions lists.

We undertake these checks at the start of any contract negotiation and once a contract is live we will continue this monitoring on a regular basis.

When we activate a contract and make payments for the asset(s) we are financing or the products and services we are acquiring
We will undertake final checks on the contract documentation, reviewing payment details and signature screening, before making payments to either our customers or partners for the financed asset or our suppliers for products or services purchased.

When we send invoices to our customers and receipt payments
We undertake daily payment reconciliations to ensure customer accounts are paid on time and in line with the contractual provisions.

When we collect payments of our customers
We will collect your bank details to set up regular payments in accordance with your contract terms. Card payment details may also be processed for one-off payment collections.

If customers fail to make payments on time
If you do not adhere to your contract requirements, we will contact you to seek solutions if arrears should emerge and collect outstanding payments.

When we collect or recover an asset of our customers or sell their debt
If you do not adhere to the contract terms, in some cases we may employ specialist debt collection and recovery agents to recover the asset and any amounts outstanding on the account.

Account management and contract management for customers, partners and suppliers
We process your personal data to establish and maintain our business relationship with you. For customers, we process your personal data to inform you about the remaining term or outstanding obligations on your contract.

When our customers require insurance for their asset and/or submit a claim
If your contract terms require that the asset is insured, we will provide your contact details to our insurer unless you arrange alternative insurance cover. When a claim is made for an asset that we own, we will submit the claim to the insurer and keep you updated throughout the insurance claim process. We also process the contact details of a partner that forwards a claim to us on behalf of the customer.

If our customers require payment protection insurance
We may offer our customers an option to take out a payment protection insurance policy with a preferred provider. If you take us up on this offer, we will provide your contact details and contract information to the insurer.

When we remarket and resell an asset of our customer
We may remarket an asset that we have previously leased to you. Any assets that are remarketed that can store any type of data or information have all data wiped prior to the asset being resold. If you purchase an asset from us, we will process your contact and payment details to effect the asset sale.

If you have a query on your contract
We will process your personal data if you contact us with a query about your contract. If you call our Customer Service team, we record these calls for monitoring and improvement purposes.

When we ask you for feedback
We may ask you to rate our services whenever we interact with you by email, or we may send you separate feedback requests (e.g., a feedback questionnaire) so that we can understand where we can make improvements.

If we send you mail
If we need to send you hard copy documents via a postal service, we will share your name and contact details with the postal service provider.

When we undertake direct marketing
We may contact you to make you aware of our products and services, or other products and services that may be of interest.

When we share customer information with our partners to manage the relationship
We may share details of your asset purchase and contract details such as term as well as start and end dates with the partner who introduced you as a customer to DLL.

When we build business relationships with new customers, partners and suppliers
We may obtain your contact details via our relationship with an intermediary with whom you have or had a business relationship, via Rabobank Group or via internet searches of publicly available information.

To manage our risk
We may develop risk models, which can include personal data. This allows us to determine our risks, as well as the extent of the financial buffer we must hold, when providing financial services. These risk models calculate the chances of you getting in arrears. These enable us to prevent possible payment difficulties and/or handle these faster. We independently review the financial products we provide and our risk exposure to ensure fiscal responsibility.

For our financial planning, audits, regulatory, and internal reporting
We use personal data of our customers to populate aggregated reports which are required for financial and regulatory reporting. We also use aggregated data to construct strategic plans and develop and enhance our business processes.

If a company merger, acquisition, or divestment takes place
If we acquire, merge, or divest one of our business entities, we will process your personal data to transfer your contract to the relevant entity.  

In the transfer of receivables/securitisation
If we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable data protection and privacy laws.

We process the personal data of visitors of our websites, online applications (e.g. portals, mobile apps) and offices for a variety of purposes.

When you visit our websites and online applications
We operate cookies or similar tracking technologies on our websites and online applications to ensure they function correctly. You can read more about how we use cookies or similar tracking technologies in our Cookie Statement.

If you access an online account on our online applications
If you are given a log in to a DLL customer or partner online web portal or mobile application, we will process your contact details and provide you with security credentials to enable you to access your account. Cookies and tracking technologies are in operation on these sites which you can read more about in our Cookie Statement.

To manage our facilities
If you visit a DLL office, we operate CCTV and ensure access to offices is managed securely. Your image is captured by our CCTV systems and your contact details are recorded to provide you access to our offices via a secure pass.

In addition, we may process the personal data of anyone who interacts with us for legal, compliance and business improvement purposes

To develop and improve our systems and processes
We may process personal data to develop and improve our systems and processes. When we test new systems, we will aggregate, anonymise, or scramble data so that it is no longer identifiable.

To manage and evidence our compliance with data protection and privacy laws
If you exercise any of your rights under data protection and privacy law, we will process your data to manage your request. If we experience a data breach, we will process the data of impacted individuals as required to mitigate risk and inform you of a breach where it is required.

If you make a complaint
We will process your contact details and any supporting information to administer, investigate, and respond to your complaint.

When we make or receive a legal claim
We will process personal data if we make or receive a legal claim in respect of the contract we have with you. We may share your personal data with legal specialists for the purpose of defending our legal rights.

For legal and regulatory compliance purposes
In some cases, we may be instructed by relevant government or supervisory authorities to process or share your personal data to comply with a regulatory requirement, court order or assist with an investigation.

To improve our efficiency, we use process automation. For instance, we rely on algorithms to help us with credit scoring, development of risk models, and creation of so-called scorecards. Whenever we use algorithms or automation we do not solely rely on the outcome of the algorithms or automations for a decision in all cases. Instead, when requested, we ensure human oversight and involvement. For example, where a credit scoring algorithm produces a negative outcome and a customer or partner requests a review, a trained and experienced member of staff will review the outcome and base the final decision on their judgement.

DLL is subject to the Rabobank Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”). This means we must meet minimum standards in the collection and processing of personal data.

DLL is committed to taking the necessary organisational and technical measures to protect your personal data when we process it and share it with third parties. These include:

• All our personnel are subject to confidentiality obligations to ensure the adequate protection of your personal data.
• We use appropriate security measures to ensure the confidentiality, integrity, and availability of your data, as well as certifying systems and services which are resilient and are able to restore data in the event of data loss.
• Where possible, we aim to secure your personal data by lessening or removing personally identifying elements.
• We regularly evaluate the effectiveness of our technical and organisational measures to ensure continuous improvement in the security of processing personal data.
• Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose closely relates to the original purpose.
• When we share your data with third parties outside of the Rabobank Group, we perform due diligence and thorough assessments of those parties and verify the secure processing of your personal data by way of contractual terms and conditions.

The Rabobank Privacy Codes are available on our website

Sometimes we may have a clear and legitimate reason to share your data with other parties.

Sharing data within the DLL Group
As a global organisation personal data may be transferred to other entities in the DLL Group who provide operational support enabling the delivery of better customer services. An example of this is when operational support is provided by our shared service center based in India. We also provide products and services to global partners and customers and collaborate across the various DLL entities to deliver global solutions.

Sharing data within the Rabobank Group
There may be times when we share personal data with Rabobank or other Rabobank Group entities. For instance, you may be a customer of Rabobank and DLL, respectively, and we might share your data internally to avoid a duplication of your efforts. Alternatively, we may share your data with Rabobank (or vice versa) if we think they might have a financial product that might be of interest to you.

Sharing data outside DLL or the Rabobank Group
Like any other company, we rely on the services of third parties.

When we engage specialist suppliers, consultants, or contractors to assist us in running our business, we may share your personal data with them where it is necessary for the service they provide to us. For instance, we may use a third party to perform a background screening or credit checks on our behalf or use services hosted in a third party cloud environment.

Any third party that we employ is checked to ensure they are reliable, and we only engage them where they enter into a proper contract with us and implement appropriate security and other measures to guarantee that your personal data remains confidential.

When legally obligated to do so, we will share your personal data with government authorities, regulators or supervisory authorities, and law enforcement agencies.

Disclosure to other countries
Personal data may be disclosed to entities within the DLL Group, the Rabobank Group and third parties in jurisdictions including: Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Denmark, Finland, France, Germany, Hungary, India, Ireland, Italy, Korea, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Singapore, Spain, Sweden, Switzerland, Turkey, United Kingdom and United States.

Transfers within the Rabobank Group
When we share your data with other entities of the Rabobank Group that are in countries other than the country in which your personal data was originally collected, we rely on the Rabobank’s Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” which are a set of rules that all Rabobank Group entities must comply with to ensure an adequate level of protection for your personal data. Because of these codes, the same rules apply to all entities of the Rabobank Group, permitting us to share data within the Rabobank Group. The Rabobank Privacy Codes are available on our website.

Transfers outside the Rabobank Group
When we transfer your data to a third party located in another country, we will apply additional safeguards so that your data is protected to the same level as the standards applied across the Rabobank Group.

We do not store your personal data for longer than we need to achieve the purposes for which we have collected it or for the secondary purposes for which we reuse it.

We have a retention policy which specifies how long we store data. In most cases, this is 7 years after the end of the contract or your relationship with DLL. Sometimes this period is longer, for example, if a supervisory authority asks us to do so, if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving or legal proceedings. Sometimes we use shorter retention periods, for example for telephone call and camera recordings.

Global data protection and privacy laws differ when it comes to individual rights regarding personal data. DLL, however, offers all individuals the following rights concerning the processing of their personal data:

Access and Rectification
You can ask us to access the personal data we hold about you. Where you believe that your personal data is incorrect or incomplete, you can ask us to correct or add more detail to your personal data.

Erasure
You can ask us to erase your personal data processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will fulfill your request.

Restriction
You can ask us to limit the personal data we hold about you. We may refuse this type of request if we have a lawful reason to continue holding your personal data (e.g., the exercise of a contract, a legal archiving duty, or the establishment, exercise, or defense of legal claims).

Portability
You have the right to ask us to provide to you a copy of your personal data in a structured and machine-readable format or to transfer your personal data on your behalf to a third party. Transfer of personal data directly to a third party can only be done if it is technically possible.

Objection
If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be use for that purpose. We will inform you of our decision, stating the reason. The operation of this right may impact the way we continue to provide you with products and services, we will inform you if this is the case so you may make an informed decision.

Direct marketing
You have also the right to request that we stop using your personal data for direct marketing purposes. We will then take steps to ensure you are no longer contacted for direct marketing purposes.

Consent withdrawal
If you have given your consent to us to process your personal data, you can withdraw your consent at any time. Unless we have a legal obligation or legitimate business reason to continue to process your personal data, we will stop any processing allowed solely by consent within 30 days of receiving your request.

For questions related to this privacy statement, please contact our local privacy officer or local compliance officer via:privacy-anz@dllgroup.com

If you would like to exercise any of your rights, please do so by completing this form:

We will respond within one month after we have received your request. In some cases, however, we may need to extend this period for up to another 2 months. We may need to ask you for some additional details to clarify your request or provide verification of your identity.

We will do our best to handle your request, question, or complaint quickly and efficiently.

If you are unhappy with how we handle a request, question, or complaint, you can contact your local Data Protection Authority. You can find the contact details of your local Data Protection Authority below:
Office of the Australian Information Commissioner  
GPO Box 5288 Sydney NSW 2001 
Telephone number: 1300 363 992 

This privacy statement will be updated from time to time in case of additional legal requirements or if we process personal data for new purposes.