GDPR applies to all organisations established in the European Economic Area (EEA) and also to those established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA. 

This note is intended to set out the data privacy issues as they impact on our clients, our banks, our service providers and any other organisation with whom we deal (each a "partner") in respect of data processed by any of our panel of banks and/or funding institutions and, to a more limited extent, our partners' contact data as it is held and/or processed by ourselves. 

AFM as Data Processor: 

We do not gather, record, store or otherwise process Personal Data other than that which we need for our contacts with a partner in order to maintain the communication necessary to enable swift and flexible responses to our respective business needs. This Personal Data is managed in line with the attached Data Protection Policy (which will be updated from time to time) and the Data Security Incident and Audit Procedures for our hosting services. If we are required by a partner at any time to handle any other Personal Data (including for example, any processing related to employee salary schemes) we will do so solely under the relevant employer's instructions and, unless otherwise instructed by them, we will immediately, after completing the exercise, delete any such Personal Data from our systems and records. 

AFM may process Personal Data for the following purposes: 

  • Communicating with partners about our products, services and projects, e.g. by responding to inquiries or requests or providing technical information about our products and services;

  • Planning, performing and managing the (contractual) relationship with partners; e.g. by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities

  • Administrating and performing customer surveys, marketing campaigns, market analysis or other promotional activities;

  • Maintaining and protecting the security of our services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;

  • Ensuring compliance with legal obligations (such as record keeping obligations), partner compliance screening obligations (to prevent white-collar or money laundering crimes), and AFM policies or industry standards; and

  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

The legal basis for our processing data about individuals is the exercising of our rights and performing our obligations under any contract we make with our partners and our legitimate interests (the efficient performance or management of our business relationship with partners). During the process of underwriting our finance transactions, we will ask for consent to the relevant use of Personal Data.

Funding Institutions (assignees) as Data processors: 

Our banks and funding institutions acknowledge publicly that, in the processing of a client's Personal Data, the provisions of GDPR are paramount whether at the point of making initial anti-money laundering, credit reference or other background checks; or in terms of storing Personal Data in the form of contact details during the period of the finance in place. During the process of underwriting our finance transactions, and prior to submitting details necessary for this exercise, we will ask for consent to the relevant use of Personal Data.   

Post Brexit situation: AFM believes that the best outcome for business is that the current negotiations on the United Kingdom’s exit from the European Union (“Brexit”) will result in a transition period and future arrangements which will support business. However, there is still much uncertainty and, although we do not process Personal Data (other than business-2-business and contractual names and contact details - see above), we intend to obsreve the advice and guidelines laid down by the Office of Information (see in tems of data privacy, processing and management. The UK government plans to incorporate the provisions of GDPR into UK law alongside the Data Protection Act 2018 after Brexit. This means that, if you are a business or organisation in the EEA that sends us any personal data, you can rest assured that we comply with EU data protection laws. Therefore, any references to the General Data Protection Regulation (GDPR) in our contracts or other corporate documentation will include the UK Data Protection Act 2018 to the extent it applies. Other references to EU or European Economic Area (EEA) legislation will include any implementing or equivalent UK legislation, to the extent relevant.

If you have any questions or need to discuss any issues around GDPR, please see our contact page.

For further information on how Personal Data will be used by our funding institutions, please contact your account director or use our Contact page.

If you have any further questions or need to discuss any issues around GDPR, please use our contact page  

Additional documents 

Hosting security policy: administrative safeguards and security incident procedures 

General controls supporting the data center and basic managed hosting services

Data privacy & protection policy