Discretionary Commission Arrangements/ PCP

Ibbo4750

I have had PCP Vehicle purchase (from same Toyota dealership) for many years via Toyota Financial Services. I have copies of my PCP Arrangement details from back to 2021 but not prior. I have contact Toyota Financial Services to request my PCP details from 2021 back to 2007, but they have informed me that owing to GDPR they do not hold all my PCP Financial Agreements as they are destroyed after a set period. Can you please advise if this is correct and how I can possibly get hold of my old PCP Agreement details.

Nearlyold

Firms should not hold data longer than necessary, there is no set time but deleting data after 6 years have passed since the data was last needed is generally accepted as reasonable though it can be held for longer.

Were these new vehicles? 

dunstonh

Can you please advise if this is correct and how I can possibly get hold of my old PCP Agreement details.

If you don't have them and they don't have them then no-one else will have them.     They have to destroy data no longer required (6 years is generally considered the norm).   You get to choose how long you hold onto your own data.

English_Surrey_Rose

I found all my Toyota Finance References by trawling through my bank statements, as per Martin's advice on his programme this week.  However, I found some in an email search. So if you're like me and don't delete all your emails, check them too!!

[Deleted User]

@Ibbo4750 They should have the data for all finances that ended in the last 6 years.  Earlier than this you might assist them finding your data by providing the agreement numbers as they may be archived by this not your details.  Old bank statements may have them as the payment reference, ofc any paperwork you can find, and finally Experian and Equifax reports keep the accounts for 7 years after they are finished.  The reports they provide that cost a few quid will give you the start, end, agreement number and general amounts borrowed and paid.  When requesting provide as much information as possible, previous names, addresses, registration plates (previous if you changed them) and preferably a list of your name, address and the reg at the point of sale for each vehicle.  It is very common that the first response is, can't find your information.  By going back with all of this information they may then find you, but they are less than helpful at listing all the information you can provide to assist this.  As others have stated, if they ended over 6 years ago they have the right / duty to destroy this information in line with GDPR but if you are a repeat ongoing customer it is unlikely they have as they can deem it relevant information as you are still a customer.  They usually only do this if you no longer have a relationship with them.

DullGreyGuy

Ibbo4750 said:

I have had PCP Vehicle purchase (from same Toyota dealership) for many years via Toyota Financial Services. I have copies of my PCP Arrangement details from back to 2021 but not prior. I have contact Toyota Financial Services to request my PCP details from 2021 back to 2007, but they have informed me that owing to GDPR they do not hold all my PCP Financial Agreements as they are destroyed after a set period. Can you please advise if this is correct and how I can possibly get hold of my old PCP Agreement details.

GDPR requires companies to delete data as soon as is reasonably practical, to keep it longer they must have a legitimate business need and given the law of limitations is 6 years its hard to argue anything much more than that. 

Even if you managed to trace them somehow it's not going to change the fact that Toyota have deleted the records and likely therefore also the record of any commission paid. Finance agreements are likely to be deleted 6 years after finance is paid off. Commission data is likely to be deleted 6 years after the commission is paid. 

Ultimately the FCA report is going to have to consider what it requires companies to do when data simply no longer exists 

[Deleted User]

@DullGreyGuy that is the guidance but the reality is that firms keep this information long after 6 years as the guidance is grey. Is it legitimate if the consumer is a recurring customer? For most financial firms yes. Then there is the purely logistical side for firms with millions of customers and 10s of millions of accounts with a mix of physical and digital records. LBG alone have had over 30 million customers across the entire group since 1990 (I know this is Toyota not LBG) and simply cannot delete or destroy everything even if they should and the regulator does not have the resources to ‘enforce’ the guidance on that scale. Small agile firms can and will do this, larger firms like Toyota do not. I believe we should encourage those asking questions to exhaust all options and use all tools at their disposal, not quote guidance that is not regularly followed as if it is a definite. I’m not having a pop, it’s just my contrasting view. I have genuinely looked at a signed loan agreement provided by a mid sized lender from 1981 in 2015. Yes some information is no longer available but lenders do not do enough or give enough advice to say ‘we could find you with more details’ vs ‘we have definitely destroyed your info’ again imo because they can’t and / or don’t want to.

DullGreyGuy

Given I have run a records management project for a bank (I only looked at the circa 50m customers on the insurance side) much larger than LBG I am well versed what can be the challenges. Similarly having been a transaction manager in financial services for too long I come up against GDPR and DPOs/ CISOs many times since. 

The law is straightforward, you must minimise the amount of data you hold where a living person can be identified. You can only ignore the requirement where you have a legal, regulatory or legitimate business interest to retain the data. The grey area comes from defining what these things are. 

Given the law of limitations it would be very hard to justify keeping detailed records for more than 6 years (ignoring the complexity of minors etc). You may keep some form of record potentially but lets say you justify keeping it so a person can only ever get 1 new customer discount... that may justify a skeleton record that they had X product from Jan 2009 to Feb 2011 but wouldn't justify keeping records of all their weekly transactions to OnlyFans. 

The ICO, like many regulators, walk a fine line of ensuring companies are following the law, letting companies get on with being a business and protecting customers. In larger organisations I've worked with there was active engagement with them on compliance to GDPR and a realism of certain difficulties with legacy systems etc. It's certainly not a blind eye but some discretion may be given on solving problems as long as no customer harm is happening. 

With a prior client, they simply deleted all identification keys in their legacy system. So the data still contains that someone was spending £1,000 a week on subscriptions to adult entertainment but there is no mechanism of identifying who that person ever was, or indeed if it was a person or a business. 

You have to let me know when your birthday is, I'll buy you a keyboard with a return key!

[Deleted User]

I don’t doubt you have vast experience in these things. I too have a lot of experience from the opposite side, primarily in litigation and providing advice and counsel to those that require it. The fact is banks and major lenders simply do not do this in the way they should. How lenders justify keeping the records at the level of detail they do for so long is less a topic for debate and more a question of their retention policies and processes. For example a bank holding fully itemised bank statements for a customer back to 2001 who hasn’t been a customer for 10 years and is linked to their exact identity… how, why? People come on here asking for advice and to assume / advise all firms follow data retention as they should is misleading them because quite simply they don’t. I have hundreds of examples where the information needed was far beyond retention and retrieved either at DSAR, defence or, as needed, a Part 18 request. Many times it was first denied it existed or could be traced. I don’t understand the birthday thing? I have HF autism so you may have to spell it out.

[Deleted User]

Also which bank in the UK is ‘much bigger’ than Lloyds banking group? I find that statement impossible. I will assume you meant HSBC, larger by value perhaps but in overall historical banking customers (insurance aside) likely comparable.