Principles of Processing the Personal Data of Clients
These principles of Processing the Personal Data of Clients (hereinafter also principles) describe how Ferratum processes Personal Data of its Clients and any other Data Subjects (hereinafter also you) in relation to the services offered by Ferratum. The principles apply if the Client uses, has used or has expressed an intention to use or if the Client or any other Data Subject is in any other way related to the products or services provided by Ferratum, including before these principles entered into force.
- Client – A natural person who uses, has used or has expressed an intention to use the products and services offered by Ferratum.
- Contract – A contract concluded between Ferratum and the Client.
- Data Protection Regulations – Any applicable laws and regulations regulating the processing of Personal Data, including but not limited to the GDPR;
- Ferratum – Ferratum Czech, s.r.o., Registry code 278 94 690, address Pekařská 621/7, 15500 Praha, Česká Republika, phone +420 800 022 513, e-mail firstname.lastname@example.org;
- Ferratum Group – Ferratum together with companies the majority shareholder of which is directly or indirectly Ferratum's parent undertaking Ferratum Oyj (Finnish Trade Register code 1950969-1, address Ratamestarinkatu 11 A, Helsinki, Republic of Finland);
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Personal Data – Any information relating to an identified or identifiable natural person (Data Subject). Data subject to banking secrecy may also include Personal Data;
- Processing – Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, storing, alteration, granting access to, making enquiries, transfer, viewing, etc.
- Ferratum is responsible for the processing of your Personal Data and, as such, should be considered a data controller under the GDPR.
- The Processing of your Personal Data shall be governed by the laws of Czech.
Collecting your Personal Data
- Ferratum collects your Personal Data in the following ways:
- The Personal Data collected is necessary for the purposes explained below, taking into account the nature of services and products offered by Ferratum and the need to sufficiently identify the Clients and ensure their trustworthiness.
Personal Data Processed
- Ferratum processes the Client’s Personal Data for the purpose of concluding and performing the Contract with the Client. This includes properly identifying the Client. The legal basis for such Processing is the entering into and performance of the Contract with the Client, as well as Ferratum’s legitimate interests to ensure the Client is trustworthy and Ferratum’s legal and regulatory obligations deriving from applicable laws including laws and regulations regulating payment institutions such as duties to report to regulators, anti-money laundering (AML) and terrorist financing rules and regulations to properly identify the Client (KYC) and ensure the trustworthiness of the Client.
- For the foregoing, Ferratum processes the following Personal Data:
- identification data (e.g. name, personal identification code, date of birth, place of birth, nationality, information about and copy of identification document, picture, signature, address);
- contact data (e.g. address, phone number, e-mail address, language of communication);
- bank data (e.g. bank ID, name of bank, account holder, account number, transaction information from your bank account, if you have consented to this);
- data concerning trustworthiness (e.g. data that enables Ferratum to perform its due diligence measures regarding money laundering and terrorist financing prevention and to ensure the compliance with international sanctions, including the purpose of the business relationship and whether the Client is a politically exposed person);
- data obtained when performing an obligation arising from the law (e.g. information received from enquiries submitted by investigative bodies, notaries, tax authorities, courts and bailiffs);
- communications data (e.g. e-mails, phone call recordings);
- Ferratum website account log-in data;
- data related to the services (e.g. performance of the contract or the failure thereof, transactions history, submitted applications, requests and complaints).
- Ferratum also processes Personal Data collected for the following purposes:
- performance of Ferratum’s obligations arising from law (e.g. anti-money laundering (AML) and terrorist financing rules and regulations to properly identify the Client (KYC) and ensure the you are trustworthiness of the Client);
- safeguarding Ferratum’s rights (establishing, exercising and defending legal claims). The legal basis for such Processing are the legitimate interests of Ferratum;
- assessing the quality of Ferratum’s services including customer support service and quality assurance service. The legal basis for such processing are the legitimate interest of Ferratum to evaluate and develop the quality of its customer support service.
Processing on the basis of consent
- Ferratum also processes the Personal Data on the basis of consent (e.g. for direct marketing purposes).
- When Processing is based on consent, you can withdraw consent at any time by contacting Ferratum on the contact details below or logging into your account. Please note that withdrawing consent does not affect the lawfulness of Processing based on consent before its withdrawal.
- As for direct marketing messages received by e-mail, you can also withdraw consent and unsubscribe from receiving any further e-mails by clicking on the ‘unsubscribe’ link at the end of each e-mail or logging into your account.
- Please also see the sections below.
- Ferratum uses carefully selected service providers (data processors) in Processing the Client’s Personal Data. In doing so, Ferratum remains fully responsible for your Personal Data.
- Ferratum uses the following categories of data processors: legal and other advisors, other Ferratum Group entities, data storage providers, telemarketing, marketing and surveys service providers, e-mail and SMS gateway service providers, identification and certification service providers, payment service providers, online and offline intermediaries.
- Ferratum only shares your Personal Data with third parties if stipulated herein, if required under the applicable law (e.g. when Ferratum is obligated to share Personal Data with the authorities) or with your consent.
- We share your Personal Data with the following third parties:
- Ferratum’s auditors. The legal basis for such sharing is the legal obligations of Ferratum.
- Ferratum’s regulators. The legal basis for such sharing is legal obligations to which Ferratum is subject.
Transferring Personal Data outside the EEA
- Ferratum transfers Personal Data to Ferratum Group entities and other recipients entities (including provide access to Personal Data from) outside the European Economic Area, e.g. to USA, Canada, Switzerland. This includes providing access to personal data from such countries. However, Ferratum does so only where it has a lawful basis to do so, including to a recipient who is: (i) in a country which provides an adequate level of protection for Personal Data; or (ii) under an instrument which covers the EU requirements for the transfer of Personal Data outside the EU.
- You can receive further details on the transfers of Personal Data outside the EU upon contacting Ferratum on the contact details below.
- Ferratum retains your Personal Data in accordance with industry guidelines for as long as necessary for the purposes for which they were collected or for as long as necessary to safeguard its rights or for as long as required by applicable legal acts. Please note that if the same Personal Data is Processed for several purposes, the Personal Data will be retained for the longest retention period applicable. The maximum period applicable is the limitation period for claims arising from transactions, which is up to 10 years from of the date of the last transaction or closure of the account, whichever is the latest.
- To the extent required by applicable Data Protection Regulations, you have all the rights of a Data Subject as regards your Personal Data. This includes the right to:
- request access to your Personal Data;
- obtain a copy of your Personal Data;
- rectify inaccurate or incomplete Personal Data relating to you;
- erase your Personal Data;
- restrict the Processing of your Personal Data;
- portability of your Personal Data;
- object to Processing of your Personal Data which is based on your overriding legitimate interest and which is Processed for direct marketing purposes;
- should you believe that your rights have been violated, you have the right to lodge a complaint with:
- Ferratum customer support service or
- Ferratum data protection officer or;
- Úřad pro ochranu osobních údajů (ÚOOÚ) or;
- the courts should you believe that your rights have been violated.
- In order to exercise your rights, please contact Ferratum on the contact details below.
- Please note that you can exercise some rights by logging into your Ferratum account.
Amending these principles
- Should the Personal Data Processing practices of Ferratum change or should there be a need to amend these principles under the applicable law, case-law or guidelines issued by competent authorities, Ferratum is entitled to unilaterally amend these principles at any time. In such case, Ferratum will notify you by e-mail no later than one month prior to the amendments entering into force.
- In case you have any question regarding the Processing of your Personal Data by Ferratum or you would like to exercise your rights as a Data Subject, please contact us on contact details above.