Effective date:  May 15, 2018

Introduction

Your privacy is important to CSI Leasing, Inc., and its global affiliates (collectively “CSI” or “we” or “our”). This Policy explains what Personal Data we collect from you, why we collect and process your personal data, when and with whom your personal data is shared, and your rights with respect to your Personal Data.

In this Policy the term “Personal Data” means data that identifies or may be used to identify an individual person, including, but not limited to, a person’s name, date of birth, job title, address, email, phone number, or employer.

In order to provide outstanding service, we must collect, maintain and process certain Personal Data about our customers, suppliers and other business contacts. We recognize and respect your privacy concerns and expectations about how we use this information. We want you to know about our privacy policies and practices, and what we do to protect your Personal Data.

Personal Data We Collect on our Website

In general, you can visit CSI websites without telling us who you are and without giving any personal data about yourself. There are times, however, when we may need information from you. When you select the “Contact CSI” button, we will ask you to read and agree to this Privacy Policy before you submit your Personal Data to us.

If you apply for a job through our websites, we may collect and process Personal Data you submit to us such as name, address, references, and employment history in order to evaluate your qualifications for a job and contact your references. We will retain your information until the position is filled and for up to six months after the position is filled in case other positions become available.

In all cases in which you submit personal information over our websites, you may tell us that you do not want us to use this information to make further contact with you beyond fulfilling your requests, and we will respect your wishes. If you give us personal information about someone else, such as a spouse, a reference, or a work colleague, we will assume that you have that person’s permission to do so. In any case, we will only retain your personal data for as long as we have a legitimate and lawful reason to do so.

When you visit our websites, CSI may collect certain non-personal data by various means, one of which is “cookies.” Cookies tell website operators to recognize your computer when you revisit a site. Cookies help to improve the use of the website. Cookies also allow Web sites to analyze aggregate traffic on the site, in order to streamline navigation and keep the content fresh for all visitors. You can configure your browser to reject cookies.  Cookies do not contain personal data, nor can they read or transmit any data on your computer’s hard drive.  Regardless of cookies, all web-browsers transmit the IP address of the computer on which they are running).  For most users accessing our websites from an Internet Service Provider (ISP), the IP address will be different every time you log on.  IP addresses may be used for various purposes, including to: (1) diagnose service or technology problems reported by our users or engineers that are associated with the IP addresses controlled by a specific Web company or ISP, (2) develop the most appropriate advertising based on geographic area or information derived from IP addresses, (3) estimate the total number of users visiting CSI from specific countries or regions of the world, (4) assist CSI to track visits to our Web site, and (5) help determine which users have access privileges to certain CSI Web site content.

Personal Data We Collect from Customers and Suppliers

In order to carry out our business and to fulfill our contractual obligations, CSI must collect and process Personal Data of prospective and existing customers or suppliers.  Examples of the types of Personal Data that CSI may collect from its customers, suppliers and other business contacts are:

• Name, title, address, email, and telephone number
• Proof of address such as copies of utility bills
• Copies of passports or other government issued identification
• Tax identification numbers
• Signatures on legal contracts
• Payment information
• Financial statements or other financial information

Why We Collect Personal Data

CSI only collects Personal Data for lawful purposes. These include:

• To provide customers with leasing products or services
• To facilitate the approval of transactions
• To obtain financing in connection with leasing products or services
• To provide advice on leasing or equipment finance
• To respond to requests from the customer, financier, or supplier
• To detect or prevent fraud
• To assess or manage risk
• To perform internal audits
• To comply with anti-terrorism, anti-bribery, or anti-money laundering laws or other laws
• To comply with legal process, subpoenas, or other requests from government bodies
• As part of a sale, merger, acquisition, or similar change of control
• To ensure data security

Specific Rights regarding Personal Data of European Citizens

If you a citizen of Europe residing within the European Economic Area, you may have the following rights under the General Data Protection Regulation:

• to be informed of this Policy and how CSI uses and processes your Personal Data;
• to request a copy of the Personal Data we have collected;
• to request that we correct any Personal Data that is inaccurate or incomplete;
• to request that we to delete or transfer to your possession such Personal Data for which we no longer have lawful reason to keep;
• to object to the processing of your Personal Data and to lodge a complaint with the relevant data protection authority.

Our Data Protection Principles:

CSI will treat your Personal Data as confidential.  We respect your right to privacy.  In all cases in which we collect your Personal Data according to this Policy, we will abide by the following principles:

• We will only collect your Personal Data with your full knowledge
• We will only collect and keep your Personal Data for a lawful purpose
• We will only keep that Personal Data which is necessary for the lawful purpose
• We will only keep your Personal Data for as long as the lawful purpose exists
• We will keep your Personal Data accurate to the extent it is reasonably practicable to do so
• We will store your Personal Data securely to prevent unauthorized or unnecessary disclosure
• We will process your Personal Data in accordance with your rights under the relevant data protection laws
• We will not transfer your Personal Data outside of its country of origin unless adequate protections are in place

Transfer or Sharing of Your Personal Data

Subject to the above Data Protection Principles and the terms of any valid and fully-executed non-disclosure agreement, CSI may transfer or share your personal data in the following circumstances:

1. Among our affiliates and wholly-owned subsidiaries, including our sole shareholder, Tokyo Century Corporation for the lawful purposes described in this Policy;
2. To third parties such our banks, financiers, couriers and suppliers in order to deliver our services or to fulfill or enforce a contract;
3. To our attorneys, auditors, IT professionals or other third party service providers for the lawful purposes described in this Policy;
4. To government, regulatory, judicial or law enforcement bodies in response to official requests.

CSI may also utilize cloud based customer relationship management or IT service providers to store and process personal data.  In all cases CSI will take reasonable steps to ensure that adequate technical and organizational measures are in place so that the transfer and storage of your personal data is secure from unauthorized disclosure, alteration or deletion.   CSI Leasing, Inc. has self-certified under the US-EU Privacy Shield Program.  We have agreed to comply with the Privacy Shield Framework set forth by the US Department of Commerce with regard to the transfer of Personal Data of citizens of the European Union to the United States.  Our Privacy Shield Policy can be found on our website.  To learn more about the Privacy Shield Program and to view CSI’s certification, please visit https://www.privacyshield.gov.

Case Studies

CSI websites may contain “case studies” describing scenarios when CSI customers benefited from CSI’s services and expertise.  Because no two customers are alike, these case studies should only serve as examples of other customers’ experiences, and thus may differ from your experience.

Anti-Spam Policy

CSI does not tolerate spam and is committed to proper Web practices and full compliance with the CANSPAM Act of 2003 (15 U.S.C. §7701.) We do not sell or rent e-mail addresses to any unauthorized third party. This does not mean that we can prevent all spam from happening on the internet. If you believe that you have received an unsolicited e-mail from us, please contact CSI at dpo@freedomtech.co.uk and we will investigate.

Children

CSI websites are not intended for visitors under 18 years of age. We do not knowingly market our products or services to children.

Notices and Revisions

CSI may revise this privacy policy from time to time. You should periodically check the revision date at the top of this Web page to learn of any revisions.

Information about the consent to Albacross processing of personal data  

We obtain your consent to the processing of personal data on the behalf of Albacross Nordic AB (“Albacross”).

Information collected from cookies set in your device that qualify as personal data will be processed by Albacross, a company offering lead identification and ad targeting services with offices in Stockholm and Krakow. Please see below for full contact details.

The purpose for the processing of the personal data is that it enables Albacross to improve a service rendered to us and our website (e.g “Lead Generation” service), by adding data to their database about companies.

The data that is collected and used by Albacross to achieve this purpose is information about the IP-address from which you visited our website, and technical information that enables Albacross to tell apart different visitors from the same IP-address. Albacross stores the domain from form input  in order to correlate the IP-address with your employer.

For the full information about our processing of personal information, please see our full Privacy Policy.

You may at any time withdraw your consent to this processing. Such withdrawal may be made either by contacting us, or by contacting Albacross directly.

Albacross Nordic AB
Companyreg. no 556942-7338
Kungsgatan 26
111 35 Stockholm, Sweden
www.albacross.com – contact@albacross.com

Contact CSI Leasing

To “opt out” or make other choices about your Personal Data or to exercise your rights, please email dpo@freedomtech.co.uk.

Our calls may be monitored or recorded for quality assurance and training purposes.

Effective date:  March 10, 2021

Purpose

The purpose of this policy is to govern the procedures for call recording within CSI Leasing UK Limited, EPC UK Limited and Freedom Tech Limited and the management of access and use of telephone call recordings. The implementation of recording of telephone calls was agreed in order to support effective training and delivery of excellent customer service, and to enable the businesses to deal efficiently with internal or external complaints.

Scope

The policy aims to minimise intrusion by restricting access to and use of recordings to limited and specified purposes only. This policy outlines: ¢ Recorded information ¢ Purposes of call recording ¢ Access and availability ¢ Information Security (including Data Protection and Notification) ¢ Monitoring and review

Managing the Policy

a. Compliance

This policy applies to all staff, whether permanent or temporary, members and contractors.

b.  Advice and Training

If you do not understand anything in this policy or feel you need specific training to comply with it you should bring this to the attention of your line manager.

The Compliance Ambassador is able to provide further advice in respect of this policy.

Recorded information

All calls received or made from nominated extensions will be recorded utilising the https://advancedcomms.co.uk/TRC497391#!/app/welcome Gamma Horizon (Daisy) call recording system and may be stored securely within the Gamma Horizon (Daisy)  systems for up to 12 months.

Telephone calls currently included in the call recording scope are in the following areas: Customer Services and Communications and Sales.

Calls to and from other areas within the business are not currently recorded but may be recorded in any future extension of the telephone recording system.

Calls where the caller provides details of a payment card for the purpose of making a payment to the business will only be recorded in-part to comply with Payment Card Industry Security Standards (PCiDSS).

Purposes of call recording

The purpose of call recording is to provide an exact record of the call which can:

• help protect employees from abusive or nuisance calls;
• establish the facts in the event of a complaint either by a customer or a member of staff and so assist in resolving it;
• help identify employee training needs and to support training new and existing employees
• assist in the company’s quality control (ISO 9001) to identify any issues in business processes, with a view to improving them.

In addition, recordings may provide evidence for crime prevention purposes.

Internal access and availability

Access and playback of recordings will be carefully controlled as per the requirements of the company’s data protection policy. Only those with the appropriate authority can access calls.

They are required to maintain a secure and private password, which is auditable and traceable within the software. The password chosen must meet minimum guidance for security as advised within the company’s ICT Information Security Policy. Access to calls may be for a number of reasons, the main reasons will be for checking accuracy, answering complaints, and for training to improve service and skills. In addition, recordings may be accessed by the ICT Service teams for the purpose of maintaining the call recording system.

Any individual may request to hear call recordings in which they are personally involved, and any manager may request to hear call recordings which involve a member of their team. They should make a request via email or in writing detailing the reason for hearing the recording to the: to the HR & Operations Director.

In their absence, the request may be considered by the Managing Director.

Specific call recordings may be provided to Human Resources or a Disciplinary Hearing Panel for evidence in a disciplinary process.

The IT department will support requests for call recordings for calls transferred internally between managers.

Employees will not normally have access to listen to recorded calls unless the call relates to them, or they have the written authorisation of the requester.

Browsing of recordings for no valid reason is not permitted.

Information security (including data protection and notification)

Recordings constitute the personal data of both the caller and the operator. Therefore, they will be managed in such a way that the rights of data subjects (callers and operators) can be fulfilled, and all the obligations of the data controller (CSI Leasing UK, EPC UK and Freedom Tech Limited) are observed, as per the company’s data protection policy.

Every caller is not notified that the call is recorded and why before the conversation is opened. This will be done through communications on the company’s website and will also refer to a copy of this policy which is located on the company’s website.

A caller may request that their call is not recorded. In this situation the caller will normally be advised to contact the company either in writing or by email. In exceptional circumstances a caller who does not wish to be recorded will be transferred to a non-recorded phone. This decision will be made by a manager, when he or she judges that not doing so could cause distress to the caller.

Recordings will normally be retained for 12 months and then automatically deleted. Some recordings may be retained for longer than thirteen months for the following reasons, if:

• call content is required for a complaint. In this case the recording will be retained until the completion of the complaint procedure and the expiry of any appeals period. If necessary the recording will be retained until the end of any employment tribunal proceedings.
• they have been identified by a member of the company’s management team as valuable for staff training. In this case the recording will be retained until it is no longer useful for this purpose.
• identified as evidence for the record-keeping requirements of the company’s procedure for dealing with unacceptable behaviour towards staff and unreasonably persistent complainants.

Customers/callers have the right to listen to or have copies of recordings made of their own calls, requests for access need to be made via the company’s Subject Access Request (SAR) procedures. These recordings will be located by reference to the date and time of the call and the employee’s identity. Callers asking for the recordings of their calls will have to provide the reason for the request and enough information about originating telephone number, date and time of the call and employee to enable them to be found. 6

All reasonable attempts will be made to confirm that the identity of the individual making the subject access request matches the identity of the caller. If in doubt the final decision will be made by GDPR Ambassador.

A permanent copy of the recording will be provided in a format the company can reasonably expect the enquirer will be able to use taking account of the individual’s preference (if any) and practicality and cost of preparation. Formats could include WAV, MP3 or other digital format, or a transcript.

It is senior managements responsibility to ensure all employees are aware of call recording policy and procedures.

Monitoring and review

Access to the system is logged and is traceable through the use of identifiable username and secure password. Access and usage may be monitored at any time to ensure adherence with the policy.

If a breach of procedure is believed to have taken place, the concern should be raised with the GDRP Ambassador in the first instance.

This policy will be reviewed on a bi-annual basis or when significant changes to the call recording system take place.