This policy is established by TCM Group International ehf, situated at Sudurlandsbraut 4a, 108 Reykjavik, Iceland, registered in the Icelandic company database under company registration number: 650315-0300.
Who we are
TCM Group is an alliance of independently owned debt collection companies and legal firms offering ethical and professional debt recovery solutions to clients on a national and international basis. TCM Group forms an alliance focusing on debt collection following ethical procedures by applying high moral standards to our way of doing business. In this policy, references to “us”, “we”, “our” and “ours” are references to TCM Group.
We collect, use and are responsible for certain personal information about you. When we do so, we are regulated under the General Data Protection Regulation (also known as the GDPR) which applies across the European Union (EU) and the European Economic Area (EEA).
For the purposes of relevant data protection law, TCM Group is acting as a data controller, and as a data processor (when providing the TCM Portal – for more information see the section ‘Our website and Portal’ below).
Our website and Portal
In this policy, when we refer to website, we mean: https://www.tcmgroup.com and all of its pages.
References to the TCM Portal refer to our private exchange platform, being a cloud-based confidential and secure environment for use by TCM Members and TCM Group, which is available via the following address:
(i) A visitor to our website;
(ii) A user of the TCM Portal;
(iii) A member of TCM Group’s debt recovery alliance which exchange and share information to facilitate
international debt recovery solutions (TCM Members);
(iv) or an individual whose personal data is collected and processed by TCM Members via the TCM Portal or by TCM Group directly, for the purpose of facilitating of debt collection.
All personal information provided to the TCM Group is held on our secure servers and/or within the TCM Portal.
Throughout our website we may link to other websites owned and operated by certain trusted third parties, including TCM Members. These other third-party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other third-party websites, please consult their privacy policies as appropriate.
Our collection and use of your personal information
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal information about you when you access our website, register with us (for example, as a TCM Member), contact us, send us feedback, use our services and/or the TCM Portal or upload material to our website and the TCM Portal.
We collect this personal information from you directly, such as when you register with us, contact us or when you use our services via our website and/or the TCM Portal, as a TCM Member.
When you visit our website, you may be asked to provide certain personal information such as your name, address, email and telephone etc.
As a TCM Member, when referring outstanding debts to other TCM Members or when uploading them to the TCM Portal, you will also be asked to supply details of third-party contacts, such as your client details or details related to an individual debtor.
We may also collect information about you indirectly, for example, if you are an individual subject to a debt recovery procedure, and your personal data has been transmitted to us by one of our clients or by a TCM Member. In this case, we comply with Article 14 of the GDPR and will provide you with our identity and contact details, the purposes of the processing and the categories of the personal data concerned, where we are legally required to do so.
Examples of where we collect personal data about you from other sources (i.e., not from you directly) may include:
- Personal data collected from a third-party for the purpose of debt collection regarding one or more individuals.
- This personal data is likely to be transferred to a TCM Member from clients which are pursuing debt collection activities against an individual. Such private individuals may include commercial businesses, organisations, financial institutions or freelancers. The categories of personal data collected from these sources will always be limited to categories of data which will facilitate debt recovery.
The personal information we collect about you depends on the particular activities carried out through our website or the TCM Portal and whether you are a website user, a TCM Member or an individual subject to debt recovery. This information may include:
- your name, address and contact details
- date of birth
- bank account and payment details
- details of any feedback you give us by phone, email, post or via social media
- information about the services we provide to you
- your account details, such as username, login details
- passport or ID document details
- vouching information of the debt owed by an individual pursued in the recovery of a debt (which may indirectly
identify an individual)
- the amount of debt owed to a creditor (where such information may indirectly identify an individual)
- the justification or nature of the debt owed to a creditor (such documents may indirectly refer to an individual),
- national identity number
We use this personal information to:
- enable ethical debt collection as between TCM Members
- support TCM Group’s legitimate business activities in the field of debt recovery
- create and manage your membership with us (if you are a TCM Member)
- verify your identity
- develop and adjust the services we provide
- notify you of any changes to our website or to our business and services that may affect you, and
- improve our services
This website is not intended for use by children and we do not knowingly collect or use personal information relating to children, except when necessary for and limited to the identification or justification of the debt. Furthermore, no indirect collection of personal data by using cookies will take place when visiting our website or using the TCM Portal.
Sensitive Personal Data
Indirectly, the TCM Group may collect and process personal data related to an individual debtor that can be categorized as sensitive personal data under the GDPR (also known as Special Categories of Personal Data).
Sensitive personal data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Usually, we need to obtain your express consent to process such sensitive personal data. However, according to Article 9(2)(f) of the GDPR, consent from an individual is not necessary when processing of the personal data is necessary for the establishment, exercise or defence of legal claims which applies to our debt recovery practices. We process some sensitive personal data for the purpose of knowing the whereabouts of an individual debtor, but we do so without directly processing any sensitive personal data related to specific health or social conditions or specific criminal convictions.
Our legal basis for processing your personal information
When we use your personal information, we are required to have a legal basis for doing so. There are various different legal bases on which we may rely, depending on what personal information we process and why, and whether you are a website visitor, a TCM Member or an individual subject to debt recovery proceedings.
The legal bases we may rely on include:
- Contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract. Processing personal data of TCM Members falls into this category.
- Legal obligation: where our use of your personal information is necessary for us to comply with the law
(not including contractual obligations).
- Legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information, which overrides our legitimate interests). In most cases, this is the legal basis which allows us to collect and process personal data on individual debtors. The balancing of interests between those of the companies pursuing unpaid debts and those of the individual debtors has been subject to an assessment by the data protection supervisory authority in the UK. For more information about legitimate interests and how this legal basis can apply to the processing of personal data, please see the ICO Guidance on Legitimate Interests,
which is available: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/#interests_override
‘Cookies and other tracking technologies’ below.
Who we share your personal information with
We routinely share personal information related to individuals who are subject to debt collection initiatives via the TCM Portal and between TCM Members and TCM Group. This information is collected and distributed by and between TCM Members and processed by the same or other TCM Members.
TCM Members form part of the TCM Group’s global debt collection network. For the purpose of debt collection, TCM Group and TCM Members may share personal data with third parties. Such third parties may include, but are not limited to, tracing agents, legal representatives and agents for service of legal process. This data sharing enables ethical and fair recovery of outstanding debts.
We may also share your personal data with our external suppliers and service providers to ensure the proper administration of our services. For example, we may share your personal data with third party service providers providing us with IT, development, cloud hosting and storage, marketing and customer engagement providers, legal, financial and tax services. We may also share personal information with law enforcement or other authorities if required by applicable law.
This data sharing practice enables the relevant third parties to carry out their tasks and also allows us to properly provide our services to all relevant stakeholders, including provision of the TCM Portal. In all cases, the TCM Members and any of our third-party suppliers processing data on our behalf or in their capacity as a separate data controller are always bound by contractual guarantees and, where relevant, are also bound by rules of professional secrecy.
Information provided via our website or the TCM Portal will not be sold or rented to any other third party without your prior consent.
In all cases, your personal information will be kept strictly confidential and only used for the purpose of performing services on behalf of TCM Group or the TCM Members.
Some of the TCM Members and third-party debt collector service providers may be based outside the EEA — for further information including on how we safeguard your personal data when this occurs, please see ‘Transfer of your information out of the EEA’.
How long do we store your personal information
There are strict limitations on how long we are allowed to store your information. In accordance with the GDPR we will not store personal information longer than what is necessary for the purpose of the processing of the collected personal data. This will be our general benchmark for retention of personal data. If you are a visitor to our website, the timeframe that we will keep your personal data will simply be during your visit to our website until you change page or close your browser. If you are a TCM Member, or a representative of a TCM Member, we will keep your personal data for as long as you have a contract with us and/or remain a TCM Member. If you are an individual subject to a debt recovery claim, we will keep your data for as long as is required to satisfactorily resolve the debt claim. When this is in our capacity as a data processor as a provider of the TCM Portal to other TCM Members, we will keep such personal data until we are otherwise instructed to do so by the relevant TCM Member(s) (acting as data controller(s) of your personal data), provided that such data retention does not conflict with the applicable law.
We may have to keep your personal data for a longer period of time, in order to comply with a legal or technical obligation or to establish, exercise or defend legal claims. However, when it is no longer necessary to retain your personal information, we will delete or anonymise it. As such, all personal data regarding an individual subject to debt collection will have his/her data anonymised where possible, and for any personal data contained in the TCM Portal, 12 months after the claim status reflects as closed.
Automated decision – making
TCM Group does not perform automated decision-making in relation to use of any type or category of personal data. No automated decision-making will be done in combination with the collection and/or processing of personal data from website visitors, TCM Members or individuals subject to debt collection
Transfer of your information out of the EEA
Due to the fact that TCM Group is an international alliance of debt collectors, enabling ethical and fair debt collection across the world, personal data will be transferred from countries inside the EEA to countries outside EEA. The transfers mainly consist of transfers between TCM Members via the TCM Portal.
Since the TCM Group alliance consists of TCM Members from all continents, and is frequently updated as our network expands, please contact us directly if you have any questions regarding personal data transfers to specific countries or wish to obtain a complete and up-to-date list of TCM Members and their respective locations. Nonetheless, here is an overview of how your personal data may be transferred outside of the EEA:
- To TCM Members established in over 135 countries worldwide. The purpose of these transfers is to enable information sharing on individual debtors among the TCM Members in order to facilitate debt recovery on behalf of individual TCM Members and/or on behalf of their clients.
- To third parties established in any of the non-EEA countries where TCM Group and the TCM Members are facilitating ethical and fair debt collection. These third parties may include tracing agents, legal representatives, agents for service of legal process’ or similar entities enabling debt collection.
The European Commission has given a formal adequacy decision regarding a number of countries outside of the EEA to which personal data will be transferred. These countries are therefore considered to provide adequate protection of personal data. Therefore, when we conduct transfers of personal data to countries benefiting from an adequacy decision, such transfers are considered to be subject to adequate protection to personal data, in accordance with what we can expect in the EEA.
In other cases, when transferring personal data to countries outside the EEA and outside the European Commission adequacy scheme, TCM Group requires that the Standard Contractual Clauses (SCCs) be entered into to secure the transfer of personal data outside of the EEA. The SCCs are permitted by the European Commission and are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. This practice will also apply to transfers from the EEA to the UK after Brexit. When transferring data to the US, we also rely on the EU-US Privacy Shield Mechanism where the receiving company is certified.
In all other cases, when the data protection laws permit us to do so, we may rely on Article 49(1)(e) of the GDPR for transfer of personal data to a country outside of the EEA, when the transfer is necessary for the establishment, exercise or defence of a legal claim.
If you would like further information, please contact our CEO in charge of data protection issues, Shaun Duncan (see ‘How to contact us’ below).
We will not otherwise transfer your personal data outside of the EEA or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
Cookies and other tracking technologies
TCM Group is currently not engaging in any marketing activities. If, in the future, we decide to contact you for marketing purposes, all applicable laws will be complied with meaning that we would we only do so where we have your consent.
Under the GDPR you have a number of important rights (which are generally free of charge). In summary, those include rights to:
- Fair processing of information and transparency over how we use your personal information.
- The right to request erasure of your personal data, known as the right to be forgotten, unless we
are required to retain such data in order to comply with a legal obligation or to establish, exercise
or defend legal claims.
- Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations. We may require you to prove your identity before providing this information, and if you require multiple copies we may charge a reasonable admin fee.
- Object at any time to processing of personal information concerning you for direct marketing.
- The right to object to processing of your personal data where the legal justification for our processing of your personal data is in our legitimate interest. We will abide by your request unless there are legitimate grounds which override your interests or rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
- Object in certain other situations to our continued processing of your personal information.
- The right to request restriction of processing of your personal data if you believe that the data is incorrect, or; if our processing is unlawful, or; if we no longer need to process your data for a particular purpose but cannot delete it due to a legal obligation or because you do not want us to delete it.
- Claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, please visit the website of the Icelandic Data Protection Authority which is available: https://www.personuvernd.is/information-in-english/
If you would like to exercise any of those rights, we would always prefer to resolve the matter with you directly. Therefore, please:
- e-mail us at email@example.com,
- let us have enough information to identify you,
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know the information to which your request relates, including any account or reference numbers, if you have them.
For further information on how to exercise your rights, please see the section below, entitled ‘How to complain’.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
We take security seriously and regularly review our programs and systems. As such, TCM Group’s private secure messaging exchange platform (the TCM Portal) was successful in being granted a Certificate of Compliance in October 2019, confirming compliance with the extensive system security from SilkSoftware House which is available:
Furthermore, we limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Whilst we strive to protect your personal information, TCM Group cannot ensure or warrant the security of any information you transmit to us online given the inherent nature of the internet. All information is supplied to us at your own risk. More generally, if you want detailed information on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit http://www.getsafeonline.org.
How to complain
We hope that we can resolve any query or concern you raise about our use of your personal information.
The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred.
The supervisory authority in Iceland (where TCM Group is based) is the Icelandic Data Protection Authority who may be contacted:
- By Post: Icelandic Data Protection Authority, Rauðarárstígur 10, 105 Reykjavík, Iceland
- Telephone: +354 510 9600
- Email: firstname.lastname@example.org
For more information concerning claims and appeal, please visit the website of the Icelandic Data Protection Authority: https://www.personuvernd.is/information-in-english/
How to contact us