GDPR applies to all organisations established in the European Economic Area (EEA) and also to those established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA. 

This note is intended to set out the data privacy issues as they impact on our clients, our banks, our service providers and any other organisation with whom we deal (each a "partner") in respect of data processed by any of our panel of banks and/or funding institutions and, to a more limited extent, our partners' contact data as it is held and/or processed by ourselves. 

AFM as Data Processor: 

We do not gather, record, store or otherwise process Personal Data other than that which we need for our contacts with a partner in order to maintain the communication necessary to enable swift and flexible responses to our respective business needs. This Personal Data is managed in line with the attached Data Protection Policy (which will be updated from time to time) and the Data Security Incident and Audit Procedures for our hosting services. If we are required by a partner at any time to handle any other Personal Data (including for example, any processing related to employee salary schemes) we will do so solely under the relevant employer's instructions and, unless otherwise instructed by them, we will immediately, after completing the exercise, delete any such Personal Data from our systems and records. 

AFM may process Personal Data for the following purposes: 

  • Communicating with partners about our products, services and projects, e.g. by responding to inquiries or requests or providing technical information about our products and services;

  • Planning, performing and managing the (contractual) relationship with partners; e.g. by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities

  • Administrating and performing customer surveys, marketing campaigns, market analysis or other promotional activities;

  • Maintaining and protecting the security of our services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;

  • Ensuring compliance with legal obligations (such as record keeping obligations), partner compliance screening obligations (to prevent white-collar or money laundering crimes), and AFM policies or industry standards; and

  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

The legal basis for our processing data about individuals is the exercising of our rights and performing our obligations under any contract we make with our partners and our legitimate interests (the efficient performance or management of our business relationship with partners). During the process of underwriting our finance transactions, we will ask for consent to the relevant use of Personal Data.

Funding Institutions (assignees) as Data processors: 

Our banks and funding institutions acknowledge publicly that, in the processing of a client's Personal Data, the provisions of GDPR are paramount whether at the point of making initial anti-money laundering, credit reference or other background checks; or in terms of storing Personal Data in the form of contact details during the period of the finance in place. During the process of underwriting our finance transactions, and prior to submitting details necessary for this exercise, we will ask for consent to the relevant use of Personal Data.   

For further information on how Personal Data will be used by our funding institutions, please contact your account director or use our Contact page.

If you have any further questions or need to discuss any issues around GDPR, please use our contact page  

Additional documents 

Hosting security policy: administrative safeguards and security incident procedures 

General controls supporting the data center and basic managed hosting services

Data privacy & protection policy