Data Protection Policy

Privilege Plan

Data Protection Policy EU-GDPR 2018 

Our Data Protection Policy explains why we require personal data, what we do with personal data, how we store it and manage the security and deletion of personal data. Personal data is defined as any information that directly or indirectly identifies you.

Your data is protected by the General Data Protection Regulations and we last reviewed this policy in 2019 to ensure our policy is compliant with these regulations.

There are six protection principles associated with GDPR (General Data Protection Regulations) and we have listed them below, together with our policy statement against each principle:

  1. Data must be processed lawfully, fairly and transparently

Privilege Plan Ltd gathers information from individuals who wish to pay for health-related services by Direct Debit. The following information is recorded by individuals when they complete the application form and Direct Debit Instruction. We have also explained why we need each item of information:

Name and address – so we may create a record on our system that identifies you as a plan member, we may also correspond with you when details of the Direct Debit change.

Date of Birth – this is not a mandatory requirement, however where you have supplied your date of birth we will ask you to confirm this to us should you contact us to request changes to your personal data or Direct Debit.

Telephone number – this is not a mandatory requirement however we may need to contact you if there is a query on your Direct Debit application form. If you do not wish to provide your telephone number and we do have a query, we would write to you at the address provided.

Bank account information – we require the bank account from which the Direct Debit is to be taken.

Your signature – is required to record the authorisation you have provided for us to take Direct Debit payments from your bank account.

Your signature also records your agreement that we may record, store and use your personal data in the execution of our services of collecting Direct Debit payments. This forms a contract of consent from you to us.

You can withdraw your consent at any time and ask us to delete your personal data from our records.

You have right of access to personal data kept by us.

You have the right to request us to move your data to another service provider.

If an application is received by our paperless sign up service the submission of the form is deemed to be the equivalent of a signature.


  1. Collected only for specific legitimate purposes

Privilege Plan Ltd will collect the personal data listed above for the sole purpose of setting up, collecting and administering Direct Debits. If our business merges with another business or is acquired by another business, this information may be provided to the new business in order that the service provided is continuous. We will not supply or sell your personal data to any other company or individual for any other reason.

Some products include a supplementary insurance benefit. Under these circumstances your details will be supplied to the company underwriting the insurance policy to ensure you may make a claim when required.

  1. Adequate and relevant and limited to what is necessary

Privilege Plan Ltd collect personal data that is relevant for the setting up and collection of Direct Debits. You do not have to supply your date of birth or telephone number unless you wish to do so. All other information is required.

  1. Must be accurate and kept up to date

We take care to record personal data supplied accurately. This includes a validation check of your bank details to confirm the sort account and account number match with records at your paying bank. All information taken from the application form is checked against a print out and corrections to keying in errors are completed. If you complete an on-line application form this information is imported directly into our software to avoid keying errors.

You may contact Privilege Plan at any time to correct or update your personal information if it changes.

  1. Stored only as long as necessary

Privilege Plan Ltd will retain your personal data on the paper form and on our computerised database whilst you continue to pay by Direct Debit. If you cancel your Direct Debit, your personal data will remain in our archived record. You can ask us to delete both the electronic record and shred the paper application form containing your personal data.

  1. Ensure appropriate security, integrity and confidentiality

All electronic transmissions to BACS (Bankers’ Automated Clearing Services) are encrypted. This means the information is converted into a code to prevent unauthorised access. The software system we use to record and store personal data is approved of by BACS and conforms to the latest encryption level known as SHA-2 and TLS 1.2. Access to personal data is restricted and password protected and only duly authorised officers of the company are supplied with a digital signature and smartcard certificate.

Further information about our Data Protection Policies

The Directors of Privilege Plan Ltd are responsible for ensuring the Data Protection Policy is compliant with data regulations and that the physical environment, systems and processes are developed, monitored and adapted to ensure data protection. The Directors take the responsibility of handling personal data very seriously, and have high standards of personal and professional probity. We will never inappropriately share your data for gain or profit.

Record of all data processing operations

Direct Debit Instructions provided on paper mandates are input into database for the purpose of recording the details of the payer and to provide an interface with BACS for the collection of Direct Debits.

On-line forms are automatically imported into the database. Information provided on line is not retained in any other database.

We will occasionally write to individuals to inform them of changes to their Direct Debit. Privilege Plan Ltd may use a third party print management company, Integrity Print to fulfil large scale mailings. Necessary personal data; being name and address is supplied to allow this fulfilment. Privilege Plan Ltd have access to their Information Security Policy Statement and can confirm their policy states compliance to EU-GDPR.

Privilege Plan provide administration to third party clients who offer health schemes to their patients. Part of our service to the third party client is to supply monthly reports, showing current plan members. Reports supply only the name and a unique refence number, no other personal data is included in report fields. Most reports are accessed via a secure portal which is password protected. Some reports are provided by email when a client requests information.

Paper application forms are stored in files which are kept in a secure, locked area. Computers and lap tops have restricted access by duly authorised officers and are password protected. Bank details are not visible on the pink copy of the application form which is retained at the client premises for their own records.

All employees of Privilege Plan Ltd are aware of our Data Protection Policy and training is provided to keep up to date with legislation and to ensure everyone working within the organisation understands the importance of Data Protection and compliance.

The company does not currently have a data protection officer due to the nature of the personal data gathered and stored.

Queries and complaint process

If you are unhappy about any aspect of our Data Protection Policy or you have a question about our policy, you contact us:

Telephone 01536 771219


In writing to:

Managing Director

Privilege Plan Ltd

2 The Gardens

East Carlton


LE16 8YG


Data Protection breach

If your personal data is obtained by a third party due to a breach in our security we will inform the Information Commissioner with 72 hours of the breach coming to our attention. We will also inform you in writing.