MORTGAGE DIRECT S.L., located at Calle de Velázquez 24, 2ºD, 28001, Madrid, Spain, CIF/NIF/NIE: B97701569 is the Spain’s leading mortgage broker. This privacy notice tells you about how we use your personal information and your information rights when you use our website.
About Mortgage Direct SL and how to contact us
Mortgage Direct are registered with Mercantile Registry of Madrid, Volume 45044, Folio 123, Page V-792748, 2nd Inscription
We operate as Data Controllers for the information you provide to us and joint Data Controllers with the third parties we deal with in order to process your mortgage applications, such as Banks, Estate Agents, Professional firms (Lawyers, Surveyors and F/X exchange organisations). These third parties have their own Privacy Notices explaining how they collect and process your data.
We have reviewed and updated our policies and procedures to comply with the General Data Protection Regulation (EU) 2016 / 679 (GDPR) and the UK Data Protection Act 2018 (DPA) to ensure we meet our obligations under these regulations.
If you have any questions about the protection of your data, please email our Data Protection Manager
Email: firstname.lastname@example.org Post: Calle de Velázquez 24, 2ºD, 28001, Madrid, Spain
What information we collect and how we use it
Our core business is acting as a mortgage broker. This involves searching against the lenders we deal with to find the mortgage that best suits your circumstances.
We do this when you call us by asking you about your identity and contact details; your product preferences; your property and tenancy history and types and number of occupants and their relationship to you; your lifestyle;nationality and residence status; employment, income and expenditure and other financial circumstances.
How you answer these questions will determine what other questions we ask you because different lenders serve different parts of the market and have different eligibility criteria. We will always explain the process to you and answer any questions you may have about why certain types of information may be needed.
We are required to collect information under certain circumstances for the prevention of money laundering and preventing and detecting unlawful acts.
|Type of Data||Processing||Lawful basis|
|Contact details – name, address, email address, phone number, details of property||To respond to requests for information.
To process your application
|Performance of contract
|Financial Information eg. Income details, debts and expenses, assets and investments, dependents, other service information||To process your application or give advice||Performance of contract
|Identification documents eg. Passport, proof of address||To process your application and adhere to legal requirements||Legal Requirement|
|Immigration documents eg. Visas||To process your application and adhere to legal requirements||Legal Requirement|
|Credit Card details||To be paid for our services||Performance of contract|
|Employer details – bank account, Tax numbers||To process your application or give advice||Performance of contract|
|Photographic images of documents received from you||To process your application||Performance of contract|
|Records of communications eg emails, phone calls||Communication / respond to queries, requests and complaints
Prevent fraud and resolve any disputes
|Legitimate Business Interest
Source of your data
We receive information about you when you: complete our online forms; you instruct an estate agent; via Search engines; through the websites of our collaborators; through recommendations from our collaborators or any other adviser which recommends to you.
Recipients of your data
As joint Controllers with the other parties eg Banks, involved in your application we are required to pass on any data requested by them based on their requirements to assess and process the application. Their Privacy Notice/s sets out how they use their data.
We do not pass on your information to any other party unless required to by law for example: Law enforcement agencies.
Third parties / sub processors
We use third party companies to perform certain services for us, such as website hosting and support, SaaS services, IT support and payment processors. All third party processors are subject to a binding contractual obligation to process your personal data in accordance with our instructions and to comply with their responsibilities as Data Processors under GDPR and DPA.
Automated decision making
We do not undertake any automated decisions using your data.
Security of your data
We understand how important it is to keep your personal information secure. We use a variety of technologies and procedures to protect your personal information from accidental or unlawful breaches of security. These include physical, organisational, and technological measures.
All information we process is encrypted in transit where possible (sometimes third parties, ie Banks, will not accept encrypted data) so that your personal and financial information is secure.
All our advisers sign a duty of confidentiality over all personal and other confidential data handled by them while providing our services to you.
We process your data within the EU and UK with limited exceptions, mainly when you request that we send your information outside the EU and UK.
From time to time, we use data processors located in non-EU or UK jurisdictions and when we do, we require that those data processors apply appropriate security safeguards and comply with all the required laws and standards for protecting personal information.
Retention of your data
If you become a client of a lender as a result of the advice we provide to you, we will keep a full record of your interactions with us for a minimum of 6 years depending on the legal requirements in place from time to time. This is because we must ensure we keep your records for your lifetime to enable us to meet our regulatory obligations to evidence we gave suitable advice and to enable us to answer any complaints that may arise as a result of our advice. If we collect personal information from you, but are unable to progress your application or you decide you do not want to progress your application, then we will keep a full record of your interactions with us for 3-6 months to facilitate an easier interaction between us if you re-engage our services within this period.
If you request, we contact you in relation to our service by providing us with your name and a contact method (e.g. phone, email) through an our website enquiry forms we will retain this information for a period of 90-days from the time we deactivate your details in our database.
Your rights under GDPR and DPA
You are entitled to ask about the data that is held about you, subject to certain exceptions. This is called a Subject Access Request (SAR).
These should be made by email or in writing to the following address:
Email: email@example.com Address: Data Protection Manager, at Calle de Velázquez 24, 2ºD, 28001, Madrid, Spain
In addition, the GDPR and DPA provides the following rights for individuals
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
If you would like to exercise any of your rights under GDPR and DPA, please email our Data Protection Manager on email firstname.lastname@example.org
We will make every attempt to ensure you are satisfied with our handling of your data queries or requests. Within the EU you have the right to complain to your national Data Regulator.
Last updated May 2023