Principles of Processing the Personal Data of Clients
These principles of Processing the Personal Data of Clients authorized representative(s) (hereinafter also principles) describe how Ferratum processes Personal Data of its Clients authorized representatives and any other Data Subjects (hereinafter also you) in relation to the services offered by Ferratum. The principles apply if the Client uses, has used or has expressed an intention to use or if the Client or any other Data Subject is in any other way related to the products or services provided by Ferratum, including before these principles entered into force.
1.1. Clients authorized representative(s) – A natural person who represents the legal entity which uses, has used or has expressed an intention to use the products and services offered by Ferratum.
1.2. Client – legal entity which applies for loan.
1.3. Contract – A contract concluded between Ferratum and the Client.
1.4. Data Protection Regulations – Any applicable laws and regulations regulating the processing of Personal Data, including but not limited to the GDPR;
1.5. CapitalBox or Ferratum – Ferratum UK Ltd, Ferratum UK Ltd, Suite 318, 25 Goodlass Road, Liverpool, Merseyside, L24 9HJ, Registered in England No: 07349566, phone 01512100322, e-mail firstname.lastname@example.org;
1.6. Ferratum Group – CapitalBox together with companies the majority shareholder of which is directly or indirectly CapitalBox's parent undertaking Ferratum Oyj (Finnish Trade Register code 1950969-1, address Ratamestarinkatu 11 A, Helsinki, Republic of Finland);
1.7. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.8. Personal Data – Any information relating to an identified or identifiable natural person (Data Subject);
1.9. Processing – Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, storing, alteration, granting access to, making enquiries, transfer, viewing, etc.
2. Data Controller
2.1. CapitalBox is responsible for the processing of your Personal Data and, as such, should be considered a data controller under the GDPR.
2.2. The Processing of your Personal Data shall be governed by the laws of England and Wales.
3. Collecting your Personal Data
3.1. CapitalBox collects your Personal Data in the following ways:
3.1.1. If you’re the Clients authorized representative(s), you either provide CapitalBox your Personal Data directly or Ferratum has collected it from your previous use of its services when the Client applies for a loan or request other services from CapitalBox or from external sources when the Client applies for a loan or request other services from CapitalBox. Such external sources include, but are not limited to, public and private registers (e.g. credit bureaux, namely Equifax Ltd and Experian Ltd.) which CapitalBox uses in order to identify the Client and you and verify your identity and perform credit and risk assessments. The Personal Data required depends on the services requested by you.
3.2. The Personal Data collected is necessary for the purposes explained below, taking into account the nature of services and products offered by CapitalBox and the need to sufficiently identify the Clients and ensure their credit- and trustworthiness.
4. Personal Data Processed
4.1. CapitalBox processes the Client’s authorized representative(s) Personal Data for the purpose of concluding and performing the Contract with the Client. This includes properly identifying the Client and performing credit and risk checks and assessments on the Client in order to determine whether and on which conditions to conclude the Contract with the Client. The legal basis for such Processing is the entering into and performance of the Contract with the Client, as well as CapitalBox’s legitimate interests to ensure the Client and its authorized representative(s) is trust- and creditworthy as well as to collect amounts due to it and CapitalBox’s legal and regulatory obligations deriving from applicable laws including laws and regulations regulating credit institutions/lenders such as duties to report to regulators, anti-money laundering (AML) and terrorist financing rules and regulations to properly identify the Client (KYC) and ensure the trust- and creditworthiness of the Client.
4.2. For the foregoing, CapitalBox processes the following Personal Data:
4.2.1. identification data (e.g. name, personal identification code, date of birth, place of birth, nationality, information about and copy of identification document, results of face/ID recognition, picture, signature, address);
4.2.2. contact data (e.g. address, phone number, e-mail address, language of communication);
4.2.3. bank data (e.g. name of bank, account holder, account number, sort code, transaction information from your bank account, if you have consented to this);
4.2.4. professional data (e.g. current employer and position);
4.2.5. financial data (e.g. salary, income, expenditure);
4.2.6. data concerning origin of assets (e.g. data concerning employer, transaction partners, business activities and actual beneficiaries, data showing the source of your income and wealth);
4.2.7. data concerning creditworthiness/trustworthiness (e.g. data concerning payment behaviour, damages caused to CapitalBox or other persons, data that enables CapitalBox to perform its due diligence measures regarding money laundering and terrorist financing prevention and to ensure the compliance with international sanctions, including the purpose of the business relationship and whether the Client or its representative is a politically exposed person);
4.2.8. data obtained when performing an obligation arising from the law (e.g. information received from enquiries submitted by investigative bodies, notaries, tax authorities, courts and bailiffs);
4.2.9. communications data (e.g. e-mails, phone call recordings);
4.2.10. CapitalBox website account log-in data;
4.2.11. data related to the services (e.g. performance of the contract or the failure thereof, transactions history, submitted applications, requests and complaints).
4.3. CapitalBox also processes Personal Data collected for the following purposes:
4.3.1. performance of CapitalBox’s obligations arising from law (e.g. anti-money laundering (AML) and terrorist financing rules and regulations to properly identify the Client and its authorized representative(s) (KYC) and ensure the you are trust- and creditworthiness of the Client);
4.3.2. safeguarding CapitalBox’s rights (establishing, exercising and defending legal claims). The legal basis for such Processing are the legitimate interests of CapitalBox;
4.3.3. assessing the quality of CapitalBox’s services including customer support service and quality assurance service. The legal basis for such processing are the legitimate interest of CapitalBox to evaluate and develop the quality of its customer support service.
5. Processing on the basis of consent
5.1. CapitalBox also processes the Personal Data on the basis of consent (e.g. for direct marketing purposes.
5.2. When Processing is based on consent, you can withdraw consent at any time by contacting CapitalBox on the contact details below or logging into your account. Please note that withdrawing consent does not affect the lawfulness of Processing based on consent before its withdrawal.
5.3. As for direct marketing messages received by e-mail, you can also withdraw consent and unsubscribe from receiving any further e-mails by clicking on the ‘unsubscribe’ link at the end of each e-mail.
5.4. Please also see the sections below.
6. Automated decision-making and profiling
6.1. CapitalBox decides based on profiling and/or automated decision-making whether the Client’s loan application is fully or partially accepted or rejected.
6.2. The decision is made based on information received from the Client and its authorized representative(s) in the application, information received from external sources, such as public and private registers and other third parties, as well as the Client’s previous payment behaviour with CapitalBox. No special categories of Personal Data (eg. data concerning health, genetic data) are processed.
6.3. Profiling and/or automated decision making are necessary for the entering into the Contract, as well as to meet CapitalBox’s legal obligations as regards properly identifying the Client, assessing the creditworthiness of the Client, fraud prevention and money laundering. Automated decision-making helps CapitalBox to verify the Client’s identity and whether the you are trust- and creditworthy and able to fulfil its obligations under the Contract. Automated decision-making helps CapitalBox make fair and responsible lending decisions. CapitalBox will not grant a loan and may terminate a loan granted to the Client if it becomes aware the Client has a payment disorder or that the Client has provided CapitalBox false information. Automated decision-making also helps to reduce the potential for human error, discrimination and abuse of power, as well as enables to deliver decision-making within a shorter period, taking into account the volume of applications received by CapitalBox.
6.4. Because automated decision making may occur, the Client might not be eligible for a loan. CapitalBox’s credit scoring methods are regularly tested to ensure they remain fair, effective and unbiased. However, if the Client wants to contest the decision made, the Client`s authorized representative(s) can contact CapitalBox on the contact details below.
6.5. CapitalBox also uses profiling in order to decide based on the Client’s financial soundness in using CapitalBox’s services whether to offer on its own initiative (by direct marketing, provided the Clients authorized representative(s)have consented thereto) other services to the Client with whom it has already concluded a Contract. The legal basis of such Processing is the legitimate interest of CapitalBox to market its products. As a result thereof, some Clients may not receive such offers. However, such profiling does not produce any legal effects on the Client or otherwise significantly affect the Client, as this does not influence the already existing Contract and the Client has the chance to apply for a new loan on its own initiative.
7. Data processors
7.1. CapitalBox uses carefully selected service providers (data processors) in Processing the Client’s authorized representatives Personal Data. In doing so, CapitalBox remains fully responsible for your Personal Data.
7.2. CapitalBox uses the following categories of data processors: legal and other advisors, other Ferratum Group entities, data storage providers, telemarketing, marketing and surveys service providers, e-mail and SMS gateway service providers, identification and certification service providers, debt collection agencies, payment service providers, bank data scraping, scoring and credit check service providers, voice call service providers, online and offline intermediaries.
8. Third parties
8.1. CapitalBox only shares your Personal Data with third parties if stipulated herein, if required under the applicable law (e.g. when CapitalBox is obligated to share Personal Data with the authorities) or with your consent.
8.2. We share your Personal Data with the following third parties:
8.2.1. to persons maintaining databases of defaulted payments. The legal basis for such sharing is the legitimate interests of CapitalBox to ensure the performance of the contract and the legitimate interests of third parties to be able to assess the creditworthiness of the Client;
8.2.2. debt collection agencies. The legal basis for such sharing is the legitimate interests of CapitalBox to ensure the performance of the contract;
8.2.3. CapitalBox’s auditors. The legal basis for such sharing is the legal obligations of CapitalBox.
8.2.4. CapitalBox’s regulators. The legal basis for such sharing is legal obligations to which CapitalBox is subject.
9. Transaction history
9.1. You are not required to provide us with viewing access to your bank account transaction information (Transaction History) or internet banking access details. You may still be allowed to apply for a loan with us if you do not provide us with this information. However, if you do it will help us make an informed decision about whether we can lend to you.
9.2. If you agree that we may access your Transaction History, the following provisions shall apply:
9.2.1. You agree to provide true, accurate, current and complete information about yourself and your bank accounts (with us or third parties) and you agree to not misrepresent your identity or your account information. You agree to keep your bank account information up-to-date, accurate and complete.
9.2.2. We will access your Transaction History using the services of a credit reference agency called Perfect Data Solutions Limited (PDS). We will use your Transaction History to assess your creditworthiness and whether the loan you seek is affordable.
9.2.3. Neither we nor PDS will store or have access to your internet banking credentials, PIN codes or passwords. That information is encrypted in transit and stored by a third party service provider upon their servers in a secure environment outside the EEA.
9.2.4. By agreeing to allow us viewing access to your Transaction History, you authorise PDS and PDS's service providers to access third party sites designated by you, on your behalf, to retrieve information requested by us, and to register to view bank statements over a period of up to 90 days. You agree that PDS and PDS's service providers may, and are instructed by you as your agent and nominated representative, with full power of substitution and re-substitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. This will include the following purposes: copying Transaction History over a 90-day period and storing the copied Transaction History on our servers.
9.2.5. You agree that the Transaction History shall also be used by PDS for credit reference agency purposes and may be taken into account when producing your individual credit score which may be shared with other organisations as part of your credit record.
9.2.6. You acknowledge and agree that when we, PDS or PDS's service providers access and retrieve information and Transaction History from third party sites, this is undertaken as your agent, and not the agent on behalf of any third party (including the bank account provider). You should be aware that third party account providers shall be entitled to rely on this authorisation and agency granted by you. You should also be aware that this service is not endorsed or sponsored by any third party bank account providers. We would recommend that you refer to the terms and conditions of your internet banking provider if you would like more information.
9.2.7. You understand that allowing us to review your Transaction History is at your sole risk.
9.2.8. We are only able to review your Transaction History on an "as is" and "as available basis" as it is made available to us by service providers. It may not be available to us from time to time.
9.2.9. We cannot guarantee that allowing us to review your Transaction History will guarantee the success of your loan application or the rate at which the loan is available.
10. Transferring Personal Data outside the EEA
10.1. CapitalBox transfers Personal Data to Ferratum Group entities and other recipients' entities (including provide access to Personal Data from) outside the European Economic Area, e.g. to USA, Canada, Switzerland and India. This includes providing access to personal data from such countries. However, CapitalBox does so only where it has a lawful basis to do so, including to a recipient who is: (i) in a country which provides an adequate level of protection for Personal Data; or (ii) under an instrument which covers the EU requirements for the transfer of Personal Data outside the EU.
10.2. You can receive further details on the transfers of Personal Data outside the EU upon contacting CapitalBox on the contact details below.
11. Data retention
11.1. CapitalBox retains your Personal Data in accordance with industry guidelines for as long as necessary for the purposes for which they were collected or for as long as necessary to safeguard its rights or for as long as required by applicable legal acts. Please note that if the same Personal Data is Processed for several purposes, the Personal Data will be retained for the longest retention period applicable.
11.2.1. In accordance with the maximum limitation period from EU directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, CapitalBox shall retain any Personal Data related to such legal obligation for 5 years from the date the last transaction occurred or the customer relationship has been terminated, or a suspicion was filed, whichever is the latest.
11.2.2. In accordance with the maximum limitation period for claims arising from a transaction and for claims arising from law, CapitalBox shall retain any Personal Data related to such claims for a maximum of 6 years from the date when the claim falls due.
12. Your rights
12.1. To the extent required by applicable Data Protection Regulations, you have all the rights of a Data Subject as regards your Personal Data. This includes the right to:
12.1.1. request access to your Personal Data;
12.1.2. obtain a copy of your Personal Data;
12.1.3. rectify inaccurate or incomplete Personal Data relating to you;
12.1.4. erase your Personal Data;
12.1.5. restrict the Processing of your Personal Data;
12.1.6. portability of your Personal Data;
12.1.7. object to Processing of your Personal Data which is based on your overriding legitimate interest and which is Processed for direct marketing purposes;
12.1.8. should you believe that your rights have been violated, you have the right to lodge a complaint with:
- CapitalBox customer support service or
- CapitalBox data protection officer or;
- the Information Commissioner’s Office https://ico.org.uk/concerns/ or;
- the courts.
12.2. In order to exercise your rights, please contact CapitalBox on the contact details below.
12.3. Please note that you can exercise some rights by logging into your CapitalBox account.
13. Amending these principles
13.1. Should the Personal Data Processing practices of CapitalBox change or should there be a need to amend these principles under the applicable law, case-law or guidelines issued by competent authorities, CapitalBox is entitled to unilaterally amend these principles at any time. In such case, CapitalBox will notify you by e-mail no later than one month prior to the amendments entering into force.
14.1. In case you have any questions regarding the Processing of your Personal Data by CapitalBox or you would like to exercise your rights as a Data Subject, please contact us using the contact details above.
14.2. CapitalBox has appointed a data protection officer whom you also may contact regarding the same on the following contact details: email@example.com