Before we commence our relationship with the Prospective Customer, we may need to undertake anti-money laundering checks (the “Checks”) on Prospective Customer’s business, which may include collection and processing of personal data pertaining to the above-mentioned individuals connected to the Prospective Customer. We carry out the Checks to ensure that our relationship with the Prospective Customer is appropriate, that any associated risk is identified and managed effectively, and to satisfy our obligations under applicable anti-money laundering and counter terrorist financing laws. We are committed to respecting individuals’ privacy and protecting their personal data and this policy will explain the types of personal data we collect, and what rights the individuals whose personal data we process have regarding this data when we carry out the Checks. We may change or update this policy from time to time; the ‘LAST UPDATED’ legend at the top of this policy indicates when it was last revised. In the case of certain material changes, we may reach out by email or via the customer account.
What personal data we collect
“Personal data” means any information that identifies an individual or relates to an identifiable individual. It does not include data where the identity has been removed (anonymous data). To carry out the Checks outlined above, we collect the following types of data:
- Business information, specifically business telephone number (landline and mobile) and email address, job title, the company name or business trading name, and business/operational address;
- Where applicable, details of the size of the business’ fleet of vehicles;
- Where applicable, copies of the business’ vehicle/driver licensing arrangements, in terms of whether the fleet has private hire vehicle licences, and/or Hackney Carriage vehicle licences;
- A copy of the business’ Operator’s Licence, or if operating in Scotland, the Booking Office Licence, which identify the name of certain individuals connected to the Prospective Customer;
- A copy of the business’ public liability insurance and (where applicable) employer’s liability insurance certificates, which identify the name of certain individuals connected to the Prospective Customer; and
- Where the Prospective Customer is a sole trader:
- Full name and title; and
- VAT number (if applicable).
If the Prospective Customer provides journeys to Uber customers
If the Prospective Customer wishes to provide journeys to customers of Uber, in connection with its use of Autocab products and services, then there are additional categories of information which we will request on behalf of Uber to allow Uber to carry out its own due diligence checks. These additional categories of information will be provided to Uber in addition to the above-mentioned types of personal data that we directly collect from the Prospective Customer. For such due diligence checks, Uber requires the following personal data in respect of any individual owning (or controlling) an interest greater than 25% in the Prospective Customer’s business:
- Date and country of birth;
- Maiden name (if different from the individual’s surname);
- Country of permanent residence; and
- A copy of the individual’s passport or government/national ID card.
We advise checking Uber's Privacy Notice to learn more about how it processes personal data for its due diligence checks (and for what purposes), as well as individuals’ rights in relation to their personal data, and how to exercise them.
Personal data provided on behalf of third parties
When we carry out the Checks, there may be circumstances where the Prospective Customer provides personal data to us on behalf of a third party (such as a board member or an owner of a controlling interest in the business). The Prospective Customer may be obligated under relevant laws to provide notice to such individuals about such sharing of their data with Autocab. By submitting such individuals’ personal data when assisting us with the Checks, the Prospective Customer represents that it has provided appropriate notices and obtained consents, when so required by applicable law. The provision of personal data for the Checks is voluntary, but failure to provide requested information may disqualify the Prospective Customer from entering into or maintaining a contractual relationship with us.
Other sources of data from which we collect personal data
While we will request all of this information directly from the Prospective Customer, where we are unable to identify all of the information that we require, we may locate certain of the data types described above via Companies House’s publicly-available databases (to the extent it is available there).
How do we use the personal data that we gather
We use personal data for the purpose of undertaking the Checks in order to protect our business, prevent fraud or abuse of our services and for internal record keeping purposes. To do this, we rely on the following legal bases:
- Legitimate interests – Autocab has a legitimate interest to carry out the Checks to protect its business interests, including any reputational risk to Autocab.
- Legal obligation – Autocab is required to carry out the Checks by law including, but not limited to, the 5th AML Directive (EU 2018/843) and the UK Money Laundering and Terrorist Financing (Amendment) Regulations 2019.
- Substantial public interest – The processing of personal data for the Checks is necessary for reasons of substantial public interest, on the basis of the UK Data Protection Act 2018, including the following reasons:
- The processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement that involves a person taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice, or other seriously improper conduct, and in the circumstances, we cannot reasonably be expected to obtain the consent of the individual to the processing; or
- The processing is necessary for the purposes of preventing fraud or other unlawful acts.
Sharing personal data
We share data with certain third parties set out below for the purposes described above:
- Service providers (acting as processors) who provide our IT and system administration services.
- With Uber, where the Prospective Customer wishes to provide journeys to customers of Uber in connection with its use of Autocab products and services (as referred to above).
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- Fraud prevention agencies in order to detect and prevent fraud.
- Public and government authorities, including authorities outside individuals’ country of residence, where we receive requests from them.
We also use and disclose personal data, as necessary or appropriate: (a) to comply with applicable law, including laws outside individuals’ country of registration; (b) to comply with legal process; (c) to protect our operations; (d) to protect our rights, property or safety, and/or that of our customers, the Prospective Customer, and certain individuals connected with its business, or others; and (e) to allow us to pursue available remedies or limit the damages that we may sustain. We require all third parties to respect the security of personal data and to treat data in accordance with the law. We do not allow our third-party service providers (acting as processors) to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with our instructions.
Transfers of personal data to locations outside the United Kingdom
Our sharing of personal data with the third parties identified above will result in the transfer of personal data to locations outside of the UK, which may have data protection rules that are different from those in the UK. Whenever we transfer personal data out of the UK, we ensure at least one of the following safeguards is implemented:
- We transfer personal data to countries that have been deemed by the UK government to provide an adequate level of protection for personal data. This applies in respect of any transfer of personal data to locations from the UK to the European Economic Area.
- For transfers from the UK to countries not considered adequate (such as when we share personal data with third parties), we rely on adequate measures, such as standard contractual clauses, which give personal data the same protection it has in the UK. Anyone may obtain a copy of these measures by using the information in the ‘Contact Us’ section below.
Keeping data safe
We strive to keep information as secure as possible. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying or permanently anonymising personal data if it is no longer needed for the purposes for which it was collected.
Storing personal data
- While we have an ongoing relationship with the Prospective Customer and provide our services to it (for example, for as long as it has an account with us or keeps using our services);
- Where we are required to do so in accordance with legal, regulatory, tax, and accounting requirements; and
- Where we need to have an accurate record of the Prospective Customer’s dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to personal data or dealings (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Individuals’ legal rights
Under certain circumstances and subject to certain exemptions, individuals have rights under data protection laws, to request to access, update, correct, suppress, restrict or delete their personal data provided to us, object to the processing of their personal data, or request to receive an electronic copy of their personal data for purposes of transmitting it to another company (where the right to data portability is provided to such individuals by applicable law). We may ask an individual making any such requests for additional information to confirm their identity and for security purposes, before responding to a request they raise. We reserve the right to charge a fee where permitted by law, for instance if the request is manifestly unfounded or excessive. An individual can exercise their rights by contacting us using the details below in the ‘Contact Us’ section. Subject to legal and other permissible considerations, we will make every reasonable effort to honour the request promptly or inform the individual if we require further information in order to fulfil the request.
How to contact regulatory authorities
Individuals also have the right to report a concern to an appropriate regulatory authority, depending on where they have their habitual residence or place of work, or where an alleged infringement of applicable data protection law occurs. For the UK, this is the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). For the EEA, a list of data protection authorities is available here.