TBF FINANCE, UAB PRIVACY POLICY

This Privacy Policy valid from 20st of September 2018

CONTENTS

  1. DEFINITIONS
  2. GENERAL
  3. DATA SUBJECTS AND COLLECTING OF DATA
  4. PURPOSES OF THE PERSONAL DATA PROCESSING
  5. LEGAL BASIS OF THE PERSONAL DATA PROCESSING
  6. PROFILING AND AUTOMATED DECISION MAKING
  7. WHAT INFORMATION WE COLLECT AND PROCESS
  8. DISCLOSURE AND TRANSFER OF THE PERSONAL DATA
  9. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION AND THE
  10. EUROPEAN ECONOMIC AREA
  11. PERSONAL DATA STORAGE DURATION
  12. PERSONAL DATA SECURITY
  13. HOW WE USE COOKIES
  14. RIGHTS IN RELATION TO PERSONAL DATA PROCESSING

1. DEFINITIONS

1.1. Company (hereinafter also referred to as “we,” “our,” or “us”) stands for TBF Finance, UAB, registration No. 304483528, registered office address: Konstitucijos ave. 21A, Vilnius, Republic of Lithuania.

1.2. Data Controller stands for TBF Finance, UAB, registration No. 304483528, registered office address: Konstitucijos ave. 21A, Vilnius, Republic of Lithuania.

1.3. Data Subject (hereinafter also referred to as “you,” or “your”) stands for an identified or identifiable natural person, whose personal data the Company processes in course of conducting business, regardless the personal data were obtained from this person directly or from the third parties.

1.4. Personal Data means any information relating to an identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.5. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.6. Profiling means any form of automated data processing, with which it is possible to evaluate certain personal data possessed by the Bank and to make forecasts in connection with the person.

2. GENERAL

2.1. Privacy Policy (hereinafter also referred to the Policy) has been drawn up and is implemented in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the General Data Protection Regulation).

2.2. The Policy is applicable to the processing of personal data regardless of the form/environment that the personal data is provided in (e.g. on paper, electronically or by phone) and whether or not the Company processes it by automated means or manually.

2.3. Special conditions for personal data processing can be included in agreements and other agreements governing legal relations between a person and the Company.

2.4. The Company is entitled to unilaterally amend the Policy, in accordance with the applicable laws and regulations, as well as amendments to the Bank’s strategy, operations or external conditions influencing its operations. The actual version of the Policy is available online on the website https://tbffinance.com/.

2.5. If you have any requests and/or complaints about personal information handling by the Company, please contact us at info@tbffinance.com, by sending correspondence to our registered office or contact directly our Data Protection Officer at dpo@tbffinance.com
The Company undertakes to provide you with the feedback and/or requested information to the e-mail or postal address specified by you within timeframe specified further in this Policy or to make changes in your personal data and inform you about it.

3. DATA SUBJECTS AND COLLECTING OF DATA

3.1. We can collect personal data directly from the following persons:

3.1.1. Potential, existing and former clients of the Company, employees, business partners, agents, outsourcers, intermediaries.

3.1.2. Persons (e.g. representatives, proxies, beneficiary owners, family members, spouses, partners, heirs, guarantors, etc.) connected with the aforementioned persons.

3.1.3. Any person contacting the Company using e-mail, phone and other available communication means, both online and offline.

3.2. We obtain data from our clients, e-commerce merchants, regarding transactions made by their customers in e-shops in order to ensure the merchants payment collection services for the goods sold and services rendered online.

3.3. We work closely with various third parties including, for example, business partners, sub-contractors in information technology, other payment services providers, search engines, advertising agencies, analytics providers, credit reference agencies, fraud prevention agencies and may receive information about you from them in order to enter into a contract with you and carry out our obligations arising from any contracts entered into between you and us.

4. PURPOSES OF THE PERSONAL DATA PROCESSING

4.1. Rendering of services on a contractual basis:

4.1.1. Issuing of payment instruments and/or acquiring of payment according to the licence No.38 issued by the Bank of Lithuania on 25 July 2018;

4.1.2. Corporate services, i.e. intermediary in company formation, bank account opening, legal, consulting and accounting services provided by the third parties;

4.1.3. To carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;

4.1.4. To verify your identity to protect against fraud, comply with financial criminal laws and to confirm your eligibility to use our products and services;

4.1.5. To notify you about any changes to our products, services, terms and conditions or other important matters related to your use of the services;

4.1.6. Consideration of complaints and claims;

4.1.7. Administration of payments and settlements;

4.1.8. Recovery and collection of debts.

4.2. Purposes closely related to the rendered services:

4.2.1. Keeping accounting registers, preparation of regulatory reporting, tax returns and similar mandatory reporting;

4.2.3. Preparation of internal reporting for performance evaluation, corporate governance and internal control system’s need;

4.2.4. Business activities planning;

4.2.5. Fraud prevention and risk management;

4.2.6. Money laundering and terrorism prevention measures.

4.3. Marketing and business promotion:

4.3.1. To identify needs of the clients;

4.3.2. To determine the target customers and markets;

4.3.3. For advertising services;

4.3.4. To ensure that content from our website is presented in the most suitable manner.

4.4. Other business-related purposes:

4.4.1. Personnel management;

4.4.2. Accounting;

4.4.3. Protection and fulfilment of the Company’s legal interests;

4.4.4. Fulfilment of the Company’s legal duties;

4.4.5. Performance of commercial and administrative activities;

4.4.6. Independent audit of the Company’s operations;

4.4.7. Physical and IT security;

4.4.8. Other purposes about which the person will be notified as and when it provides the relevant data to the Company.

5. LEGAL BASIS OF THE PERSONAL DATA PROCESSING

5.1. The legal grounds, in accordance with which the Company processes personal data are as follows:

5.1.1. Processing is necessary for fulfilment of an contract concluded with a person or in behalf of a person or for performance of measures at the request of the person prior to the conclusion of the contract;

5.1.2. Processing is necessary in order to fulfil a legal or regulatory duty applicable to the Company;

5.1.3. The person has given his/her consent to the processing of the personal data for one or more specific purposes;

5.1.4. Processing is necessary for protection and fulfilment of the Company’s legitimate interests.

5.2. Company’s legitimate interests are as follows:

5.2.1. To carry out commercial activities;

5.2.2. Offering the Company’s services;

5.2.3. Improving the Company’s services, as well as the quality of service;

5.2.4. Verifying a person’s identity before the conclusion of the contract;

5.2.5. Ensuring the fulfilment of contractual obligations, including consideration of the claims and complains;

5.2.6. Keep transactions history for accounting, reporting and analytics purposes;

5.2.7. Preventing unjustified risks to its commercial operations;

5.2.8. Preventing fraud;

5.2.9. Ensure corporate governance, accounting, analytics and effective management of the Company and provision of services;

5.2.10. Addressing public bodies, law enforcement bodies and courts to protect its legal interests.

6. PROFILING AND AUTOMATED DECISION MAKING

6.1. Profiling is any type of automated Personal Data Processing that the Company uses, e.g. to evaluate personal indications related to the person under the framework of his/her risk and fraud management, and identification of suspicious transactions.

6.2. The Company informs the person about Profiling separately, in accordance with the provisions laid down in laws and regulations.

7. WHAT INFORMATION WE COLLECT AND PROCESS

7.1. The list of personal data categories below is not exhaustive. The list specifies the main personal data categories, which the Company collects and processes:

7.1.1. Identification data (name, surname, personal identity code, date of birth, personal identification document data, etc.);

7.1.2. Contact information (actual place of residence, declared (registered) place of residence, phone number, email address, IP address, identifier on telecommunications systems, phone and fax number, etc.);

7.1.3. Due diligence data (data that has been obtained in the course of due diligence of a person, implementing measures related to prevention of money laundering and terrorism financing and compliance with international sanctions (status of a politically exposed person, transactions typical of the person, cooperation objective, information about beneficial, etc.);perform identification and verification – identity and where required verify the identity of the perspective customers and related parties;

7.1.4. Tax residence data (tax residence, country of residence, taxpayer’s number, nationality, etc.);

7.1.5. Audiovisual data (audio recordings, photos (e.g. in passport), video recordings, etc.);

7.1.6. Transaction information (date, time, amount, currencies used, exchange rate, beneficiary details, details and location of the merchant associated with the transaction, IP address of sender and receiver, sender’s and receiver’s name and registration information, messages sent or received with the payment, device information used to facilitate the payment and the payment instrument used).

7.1.7. Technical information (the Internet Protocol (IP) address used to connect your computer to the Internet, unique device identifier, location, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, etc.);

7.1.8. Information about your website visit (the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); referrer URL; products and services you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); and methods used to browse away from the page; and any phone number used to call our customer service number);

7.1.9. Professional data for the employees and Board members (information on education, continuing education, profession, employment history, workplaces, foreign language skills, etc.).

8. DISCLOSURE AND TRANSFER OF THE PERSONAL DATA

8.1. In some circumstances we may disclose information which we collected and processed to certain third parties. First and foremost, it concerns our business partners, authorized data processors, service providers and registers to whom we must submit information in order to make rendering of services which you requested or which are provided in your behalf by our clients.

8.2. Organizations to whom data are transferred may transfer them further, including outside the European Union or the Member States of the European Economic Area, in order to ensure the provision of the services, and the service providers are responsible for this. The Company assesses, whether the personal data protection measures taken by them are acceptable.

8.3. We are obliged under fraud prevention, anti-money laundering and counter terrorist financing legislation to monitor suspicious activities and implement policies which are compliant with certain laws to which we are subject. Hence, we must retain certain information which we further may transfer to the government bodies and/or supervisory authorities.

8.4. Your personal data can also be accessed by external service providers that provide us with hosting, data storage, systems development and improvement, accounting, audit and similar services. We include confidentiality clauses in the contracts with these third parties and asses their privacy policies before submitting any personal data.

8.5. Your personal data can be transferred to the third parties in cases stipulated in laws and regulations for protection of the Company’s lawful interests, e.g. bringing proceedings in court or before other governmental bodies against a person that has harmed the interests of the Company.

8.6. Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

9. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION AND THE EUROPEAN ECONOMIC AREA

9.1. If necessary, the Company transfers personal data outside the EU/EEA, if the European Commission has decided that a third country, its territory or specific sector in a third country, or international organization provides data protection at an adequate level, or provided that the Company ensures sufficient guarantees in accordance with the provisions of the General Data Protection Regulation.

9.2. Information about the decisions made by the European Commission is available on the European Commission’s Internet website: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

9.3. The Company will only send personal data outside the EU/EEA to a country, in relation to which the European Commission has not made a decision regarding the adequacy of its security level and which does not provide the corresponding guarantees, if:

9.3.1. The person has clearly agreed to the proposed transfer, having received information from the Company about the potential risks that such a transfer could pose to the person;

9.3.2. Transfer is necessary in order to fulfil the contract between the client/person and Company or to implement measures after the conclusion of the contract, which were approved at the client’s/person’s request;

9.3.3. Transfer is necessary for conclusion of an agreement between the Company and another private individual or legal entity, in the interests of the person/client or for the fulfilment of such a contract;

9.3.4. Transfer is necessary if there are important reasons of public interest;

9.3.5. Transfer is necessary in order to raise, fulfil or defend legal requirements, or

9.3.6. Transfer is necessary in order to protect the vitally important interests of persons if the client/person is physically or legally incapable of giving its consent.

10. PERSONAL DATA STORAGE DURATION

10.1. The Company storages personal data as long as one of the following criteria is valid:

10.1.1. until the contract concluded with the client is in force.

10.1.2. as long as according to the legislation and regulations, the Company and the client/person can realize their legal (legitimate) interests.

10.1.3. until expires the legal obligation for storage of data specified in the legislative and regulatory acts.

10.1.4. as long as the Data Subject’s consent is in force for the appropriate processing of personal data, if there is no other legal basis for processing the data.

10.2. As soon as the purpose has been fulfilled, the Company erases the data or destroys the information carriers on which the data is recorded (e.g. documents in paper format).

11. PERSONAL DATA SECURITY

11.1. The Company takes care of personal data security and observes a person’s rights to lawful personal data processing in accordance with the provisions of the General Data Protection Regulation and other applicable laws and regulations in the area of Personal Data Processing.

11.2. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, technical, organizational and administrative procedures to safeguard and secure the information we collect, process and store. Our payment card environment is Payment Card Industry Data Security Standard (PCI DSS) compliant which is approved by the external assessor.

11.3. All information is stored on our secure servers within European Economic Area. We use encryption, tokenisation and other relevant technical security measures. You are responsible for keeping login and passwords credentials confidential and not to share with anybody.

11.4. Personal data is only processed by authorised Company’s employees or outsourced contractors in order to ensure corresponding personal data security, including protection against unauthorized or unlawful processing and against loss, destruction or damage.

11.5. The Company ensures the confidentiality of personal data, in order to protect data from unauthorized access, unlawful data processing and/or disclosure, accidental loss, alteration or destruction.

11.6. As soon as it has become aware of a breach of personal data protection, and without undue delay, the Company notifies the regulatory body in accordance with the provisions of the General Data Protection Regulation. In the event that a breach of personal data protection could pose a high risk to the rights and liberties of persons, without undue delay, the Company will notify the person about the personal data breach.

12. HOW WE USE COOKIES

12.1. A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

12.2. We use traffic log cookies to identify which pages are being used. This helps us to analyse information about web page traffic and improve our website in order to tailor it to our customer needs. We only use this information for statistical analysis purposes and then the information is removed from the system.

12.3. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the information you choose to share with us.

12.4. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

13. RIGHTS IN RELATION TO PERSONAL DATA PROCESSING

13.1. Rights to Access Personal Data:

13.1.1. A person may receive an answer from the Company on whether or not the personal data are being processed by the Company. The Company replies even if it does not process the applicant’s data. Information for the person is issued only after the person has been identified by providing the following information:
1) Name/Surname or Company name
2) email address provided during the registration

13.1.2. The Company replies within one month following the date of receipt of request. Taking into account the complexity or number of requests, the Company may extend the time period for the fulfilment of the request, by another two months, on what it informs the person within one month following the date of receipt of request.

13.1.3. A person may obtain copies of its own personal data (except for documents) and to receive additional information about the processing of its personal data.

13.1.4. The Company ensures the person’s right to access its personal data free of charge.

13.1.5. The Company may request fee for all additional copies of personal data that the person requests if no changes have been made to the contents of the information.

13.1.6. The Company also may charge a fee based on actual administrative costs (which are related to the provision of information, communication or performance of the requested action, including employee resource costs, information carrier costs and postal service costs).

13.1.7. The Company may decline fulfilment of a request or charge a fee if the person’s requests are clearly unjustified or excessive, particularly because of their repetition on a regular basis (e.g. if a person submits requests several times without a clear reason for doing so during a period in which the data in the possession of the Company regarding the person have not changed and the person could have been aware of this).

13.2. Rights to rectify data:

13.2.1. Without undue delay, the Company will rectify inaccurate personal data if the relevant information and a rationale for their rectification have been received from the person concerned. The grounds for rectification must be reasonably justified.

13.2.2. The Company will assess this upon receipt of the request. If the Company has grounds to question the justifiability of the request, the Company may ask the person to submit additional evidence that would justify the correction of the data.

13.2.3. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.3. Data Transfer Rights:

13.3.1. A person is entitled to receive data about himself/herself in order to save it or to make it possible for the data to be re-used, e.g. by transferring it to another service provider.

13.3.2.Transfer rights only apply to the following data:

(i) Data that has been submitted to the Company by the person himself/herself and whose processing is carried out on the basis of the person’s consent and using automated means, or

(ii) Data that has been submitted to the Company by the person himself/herself and whose processing is carried out using automated means, and is justified by the necessity to process the data for the fulfilment of a contract (including preparation of a contract) to which the person is a party.

13.3.3. After the fulfilment of the data transfer application, the Company would no longer be responsible for its subsequent processing, which is done by the person concerned or a third person, who receives this data.

13.3.4. The Company will fulfil the person’s data transfer rights free of charge.

13.3.5. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.4. Right to be Forgotten:

13.4.1. Without undue delay, the Company will erase personal data at a person’s request, if:

(i) The data is no longer required in relation to the purposes for which it was collected or otherwise processed;

(ii) The person has revoked its consent, on the basis of which the personal data processing was conducted, and there are no other legal grounds for processing (e.g. the Company’s legitimate interest to prove that data processing was lawful during the period of validity of consent);

(iii) The person has objected to Personal Data Processing, and after reassessing the legitimate interests involved, the Company acknowledges that there are no more material legitimate grounds for processing;

(iv) Personal data has been processed unlawfully.

13.4.2. The Company may decide not to erase data if the data is necessary to fulfil the Company’s legal duty, which requires the performance of data processing (including information or document storage terms stipulated in laws and regulations).

13.4.3. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.5. Rights to Restrict Processing:

13.5.1. The person may request that the Company restrict the processing of his personal data for one of the following reasons:

(i) The person disputes the accuracy of the data. In this case, the duration of the restriction cannot be longer than the period during which the Company is checking the accuracy of the data;

(ii) Data processing is unlawful, and the person objects to the erasure of data, requesting the restriction of the use of data instead. In this case, the processing of personal data will be restricted for the period that the person has requested;

(iii) The Company no longer requires the data for processing, but they are required by the person concerned, in order to raise, fulfil or defend lawful requirements. In this case, the restriction will be set for the period that the person has requested and justified;

(iv) The person has objected to processing that is justified by the Company’s legitimate interests. In this case, the duration of restriction will be set for the period during which a check is conducted as to whether the Company’s legitimate interest is more important than the person’s legitimate interest.

13.5.2. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.6. Rights to Object:

13.6.1. A person may object processing of his/her personal data, which the Company carries out based on its legitimate interest or in the public interest and performance of public tasks.

13.6.2. Upon receipt of a person’s request to terminate processing his/her personal data, the Company stops processing the personal data for specific purposes.

13.6.3. If the Company is able to indicate convincing and legitimate reasons for processing prevailing over the person’s interests, rights and liberties, or in which the Company uses data in order

13.6.4. to raise, fulfil or defend lawful requirements, the Company will not terminate processing of the personal data.

13.6.5. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.7. Rights in Relation to Automated Individual Decision-Making:

13.7.1. A person may object to automated decision-making, including Profiling, in accordance with the provisions of Article 21 and Article 22 of the General Data Protection Regulation, and request human involvement in making of an automated decision, unless:

(i) automated decision making is necessary in order to conclude or fulfil a contract between the Person and the Company (e.g. automated compliance and fraud prevention checks);

(ii) automated Personal Data Processing is permissible in accordance with the laws and regulations applicable to the Company (e.g. customer due diligence and identification of suspicious and unusual transactions;

(iii) automated decision making, including Profiling, is carried out based on the person’s explicit consent.

13.7.2. If a request has been received from a person not to carry out automated decision making, including Profiling, in relation to the person’s data, the Company will carry out suitable measures to protect the person’s rights and freedoms and legitimate interests, and to ensure human involvement on the Company’s part to ensure that the person can express his/her opinion and dispute the decision.

13.7.3. The Company replies to the person in accordance with the procedure set forth in Paragraph 13.1.2 of the Policy.

13.8. Right to Withdrawal the consent:

13.8.1. A person is entitled to withdraw his/her consent to Personal Data Processing at any time by the same means as it was provided or another agreed mean, and in that case, subsequent data processing based on prior consent for a specific purpose will no longer be carried out.

13.8.2. Withdrawal of a consent does not affect Personal Data Processing that was carried out during the period in which the person’s consent was valid.

13.8.3. Withdrawal of consent cannot result in the suspension of Personal Data Processing, which is carried out according to other legal grounds.

13.9. Rights to Submit a Complaint to a Regulatory Body:

13.9.1. If a person has a reasonable doubt or a suspicion that his/her Personal Data Processing is taking place in contradiction to the requirements laid down in the General Data Protection Regulation and other binding regulatory documents, the person may submit a complaint on  a violation of Personal Data Processing to the State Data Protection Inspectorate of the Republic of Lithuania.

13.9.2. For more details and complaint form, please refer to the website of the State Data Protection Inspectorate of the Republic of Lithuania: https://www.ada.lt/go.php/Skundu-ir-prasymu-formos102102102.