Principles of Processing the Personal Data of Clients
Updated latest on December 02, 2020
These principles of Processing the Personal Data of Clients (hereinafter also principles) describe how Ferratum processes Personal Data of its Clients and any other Data Subjects (hereinafter also you) in relation to the services offered by Ferratum. The principles apply if the Client uses, has used or has expressed an intention to use the products or services provided by Ferratum or in the case that the data of a Client is processed by Ferratum for purposes relating to products or services offered by Ferratum.
1.1. Client – A natural person who uses, has used or has expressed an intention to use the products and services offered by Ferratum or to conclude a guarantee or warranty agreement with Ferratum;
1.2. Contract – A contract concluded between Ferratum and the Client;
1.3. Data Protection Regulations – Any applicable laws and regulations regulating the processing of Personal Data, including but not limited to the GDPR;
1.4. Ferratum – Ferratum Bank p.l.c., Malta Registry of Companies code C 56251, adress ST Business Centre, 120, The Strand, Gzira, GZR 1027, Malta, e-postadress: firstname.lastname@example.org
1.5. Ferratum Group – Ferratum together with companies the majority shareholder of which is directly or indirectly Ferratum's parent undertaking Ferratum Oyj (Finnish Trade Register code 1950969-1, address Ratamestarinkatu 11 A, Helsinki, Republic of Finland);
1.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.7. Personal Data – Any information relating to an identified or identifiable natural person (Data Subject). Data subject to banking secrecy may also include Personal Data;
1.8. Processing – Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, storing, alteration, granting access to, making enquiries, transfer, viewing, etc.
2. Data Controller
2.1. Ferratum is responsible for the processing of your Personal Data and, as such, should be considered a data controller under the GDPR.
2.2. The Processing of your Personal Data shall be governed by the laws of Malta.
2.3. The main language governing the relationship between you and Ferratum shall be English. In the event of inconsistency or discrepancy between the English version and any of the other linguistic versions of these principles, the English language version shall prevail.
3. Collecting your Personal Data
3.1. Ferratum collects your Personal Data in the following ways:
3.1.1. If you’re the Client applying for a loan or request other services from Ferratum, you provide Ferratum your Personal Data directly and Ferratum collects it from Ferratum and/or Ferratum Group (from your previous use of its services) and/or from external sources. Such external sources include, but are not limited to, public and private registers (e.g. credit bureaux, namely Creditsafe i Sverige AB, UC AB and Instantor AB) which Ferratum uses in order to identify you and verify your identity and perform credit and risk assessments. The Personal Data required depends on the services requested by you e.g. whether you are applying for a loan, depositing money, acting as a personal guarantor.
3.1.2. If you’re the Client entering warranty or guarantee agreement, your Personal Data is usually provided to us by the Client, who is applying for the loan.
3.1.4. The Personal Data collected is necessary for the purposes explained below, considering the nature of the services and products offered by Ferratum and the need to sufficiently identify the Clients and ensure their credit- and trustworthiness and for Ferratum to safeguard its rights and perform its obligations under the agreement with you and at law..
4. Personal Data Processed
4.1. Ferratum Processes Personal Data collected for the following purposes:
4.1.1. concluding and performing the Contract with the Client. This includes properly identifying the Client and performing credit and risk checks and assessments on the Client to determine whether and on which conditions to conclude the Contract. The legal basis for such Processing is the entering into and performance of the Contract with the Client, as well as Ferratum’s legitimate interests to ensure the Client is trust- and creditworthy as well as to collect amounts due to it;
4.1.2. performance of Ferratum’s obligations arising from law (e.g. anti-money laundering (AML) and terrorist financing rules and regulations to properly identify the Client (KYC) and ensure the trust- and creditworthiness of the Client);
4.1.3. safeguarding Ferratum’s rights (establishing, exercising and defending legal claims). The legal basis for such Processing is the legitimate interest of Ferratum;
4.1.4. assessing the quality of Ferratum’s services, including customer support service and quality assurance service. The legal basis for such processing is the legitimate interest of Ferratum to evaluate and develop the quality of its customer support service;
4.1.5. direct marketing: We will contact you with direct marketing based on our legitimate interest to offer you our product and services if you are our existing customer or used recently our products or services. When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Remember, you can opt out of direct marketing at any time by clicking the unsubscribe link at the end of each email or contacting our customer support service.
4.2. For the foregoing, Ferratum processes the following Personal Data:
4.2.1. identification data (e.g. name, personal identification code, date of birth, place of birth, nationality, information about and copy of identification document, results of face/ID recognition, voice, picture, video, signature, address);
4.2.2. contact data (e.g. address, phone number, e-mail address, language of communication);
4.2.3. bank data (e.g. bank ID, name of bank, account holder, account number, transaction information from your bank account, if you have consented to this);
4.2.4. professional data (e.g. current and former employer and position);
4.2.5. financial data (e.g. salary, income, assets, liabilities, properties);
4.2.6. data concerning origin of assets (e.g. data concerning employer, transaction partners, business activities and actual beneficiaries, data showing the source of your income and wealth);
4.2.7. data concerning creditworthiness/trustworthiness (e.g. data concerning payment behaviour, damages caused to Ferratum or other persons, data that enables Ferratum to perform its due diligence measures regarding money laundering and terrorist financing prevention and to ensure the compliance with international sanctions, including the purpose of the business relationship and whether the Client is a politically exposed person);
4.2.8. data obtained when performing an obligation arising from the law (e.g. information received from enquiries submitted by investigative bodies, notaries, tax authorities, courts and bailiffs);
4.2.9. communications data (e.g. e-mails, phone call recordings);
4.2.10. Ferratum website account log-in data;
4.2.11. data related to the services by Ferratum (e.g. performance of the contract or the failure thereof, transactions history, submitted applications, requests and complaints).
5. Processing based on consent
5.1. Ferratum also processes the Personal Data on the basis of consent (e.g. for direct marketing purposes and for carrying out market research, preparing statistical studies and analyses of client groups, preparing and building lookalike audience groups, market shares of products and services and other financial indicators, as well as reporting and risk management in order to better understand the clients’ expectations and develop Ferratum’s models, products, services and processes).
5.2. When Processing is based on consent, you can withdraw consent at any time by contacting Ferratum on the contact details below. Please note that withdrawing consent does not affect the lawfulness of Processing based on consent before its withdrawal.
5.3. As for direct marketing messages received by e-mail, you can also withdraw consent and unsubscribe from receiving any further e-mails by clicking on the ‘unsubscribe’ link at the end of each e-mail.
6. Automated decision-making and profiling
6.1. Ferratum decides based on profiling and automated decision-making whether the Client’s loan application is fully or partially accepted or rejected.
6.2. The decision is made based on information received from the Client in the application, information received from external sources, such as public and private registers and other third parties, as well as the Client’s previous payment behaviour with Ferratum, Ferratum Group company and other financial service providers. No special categories of Personal Data (eg. data concerning health, genetic data) are processed.
6.3. Profiling and automated decision-making are necessary for entering the Contract, as well as to meet Ferratum’s legal obligations as regards properly identifying the Client, assessing the creditworthiness of the Client, fraud prevention and money laundering. Automated decision-making helps Ferratum to verify your identity and whether you are trust- and creditworthy and able to fulfil your obligations under the Contract. Automated decision-making helps Ferratum make fair and responsible lending decisions. Ferratum will not grant a loan and may terminate a loan granted to the Client if it becomes aware the Client has a payment disorder or that the Client has provided Ferratum false information. Automated decision-making also helps to reduce the potential for human error, discrimination, and abuse of power, as well as enables to deliver decision-making within a shorter period, considering the volume of applications received by Ferratum.
6.4. Because of the fact that the decision-making is automated, the Client might not be eligible for a loan. Ferratum’s credit scoring methods are regularly tested to ensure they remain fair, effective, and unbiased and Ferratum has implemented suitable measures to safeguard the Client's rights and freedoms and legitimate interests. However, if the Client wants to contest the automated decision made or express his or her point of view, the Client can contact Ferratum on the contact details below.
6.5. Ferratum also uses profiling in order to decide based on the Client’s financial soundness in using Ferratum’s services whether to offer on its own initiative a higher credit amount or other services and products to the Client with whom it has already concluded a Contract. The legal basis of such Processing is the legitimate interest of Ferratum to market its products. As a result, thereof, some Clients may not receive such offers. However, such profiling does not directly produce any legal effects on the Client or otherwise significantly affect the Client, as this does not influence the already existing Contract and the Client has the chance to apply for a new loan on its own initiative.
7. Disclosing the Personal Data
7.1. The nature of Ferratum’s products and services provided requires Ferratum to share your Personal Data to run its everyday business to process transactions, maintain customer accounts, and report to public institutions. Before sharing Ferratum will always ensure to respect relevant financial industry secrecy obligations.
7.2. Ferratum may share your Personal Data with carefully selected and trusted partners to whom Ferratum wishes to entrust or has entrusted the provision of services and with the third parties performing functions delegated to them by law, if stipulated herein, if required under the applicable law (e.g. when Ferratum is obligated to share Personal Data with the authorities) or with your consent.
7.3. Ferratum may share your Personal Data with the following partners and third parties:
7.3.1. other Ferratum Group entities. The legal basis for such sharing is the legitimate interests of Ferratum and Ferratum Group to ensure the performance of the contract and the legitimate interest of the Client to ensure the services provided by Ferratum would be suitable and proportionate;
7.3.2. Ferratum cooperation partners, with whom Ferratum offers co-branded products and services for providing such services and products as well as for marketing and advertising such services and products. The legal basis for such sharing is either your consent or Ferratum’s legitimate interest to offer you its product and services if you are Ferratum’s existing customer or used recently its products or services;
7.3.3. Personal Data processors and their sub-processors engaged by Ferratum who process your Personal Data on behalf of Ferratum to assist Ferratum in providing, maintaining and improving its products and services and fulfilling its obligations deriving from applicable laws and regulations, e.g. legal and other advisors, data storage providers, telemarketing, marketing and surveys service providers, e-mail and SMS gateway service providers, other communication service providers, identification and certification service providers, card management service providers, invoicing service providers, payment service providers, credit and financial institutions, bank data scraping, scoring and credit check service providers, voice call dialler service providers, online and offline intermediaries, IT service providers, etc. The legal basis for such sharing is either your consent or the legitimate interests of Ferratum having the purpose of ensuring the continuity of its business and the continued provision of its products and services, including the necessary financing for offering its service as well as return of loans granted by it;
7.3.4. credit reference agencies who provide credit reports. The legal basis for such sharing is the legitimate interests of Ferratum to ensure the performance of the contract and the legitimate interests of Ferratum and third parties to be able to assess the creditworthiness of the Client and to follow the principles of responsible lending;
7.3.5. to persons maintaining databases of defaulted payments. The legal basis for such sharing is the legitimate interests of Ferratum to ensure the performance of the contract and the legitimate interests of third parties to be able to assess the creditworthiness of the Client;
7.3.6. the Central Bank of Malta for the purpose of inclusion in the Central Credit Register in case you have been granted loans which exceed €5 000. The legal basis for such processing is the Central Bank of Malta Directive No. 14;
7.3.7. debt collection agencies and bailiffs. The legal basis for such sharing is the legitimate interests of Ferratum to ensure the performance of the contract;
7.3.8. Ferratum’s auditors. The legal basis for such sharing is the legal obligations of Ferratum;
7.3.9. Ferratum’s regulators. The legal basis for such sharing is legal obligations to which Ferratum is subject;
7.3.10. other partners and third parties to which Ferratum may assign, pledge or transfer its rights and obligations to the extent required or allowed under the legislation applicable to Ferratum or according to the agreement concluded with you. The legal basis for such sharing is either your consent or the legitimate interests of Ferratum having the purpose of ensuring the continuity of its business and the continued provision of its products and services, including the necessary financing for offering its service as well as return of loans granted by it.
8. Transferring Personal Data outside the EEA
8.1. Ferratum transfers Personal Data to Ferratum Group entities and other recipients’ entities (including provide access to Personal Data from) outside the European Economic Area, e.g. to USA, Canada, India, Switzerland. This includes providing access to personal data from such countries. However, Ferratum does so only where it has a lawful basis to do so, including to a recipient who is: (i) in a country which provides an adequate level of protection for Personal Data; or (ii) under an instrument which covers the EU requirements for the transfer of Personal Data outside the EU.
8.2. You can receive further details on the transfers of Personal Data outside the EU upon contacting Ferratum on the contact details below.
9. Data retention
9.1. Ferratum retains your Personal Data in accordance with industry guidelines for as long as necessary for the purposes for which they were collected or for as long as necessary to safeguard its rights or for as long as required by applicable legal acts. Please note that if the same Personal Data is Processed for several purposes, the Personal Data will be retained for the longest retention period applicable. The maximum period applicable is the limitation period for claims arising from transactions, which is up to 10 years from of the date of the last transaction or closure of the account, whichever is the latest.
10. Your rights
10.1. To the extent required by applicable Data Protection Regulations, you have all the rights of a Data Subject as regards your Personal Data. This includes the right to:
10.1.1. request access to your Personal Data;
10.1.2. obtain a copy of your Personal Data;
10.1.3. rectify inaccurate or incomplete Personal Data relating to you;
10.1.4. erase your Personal Data;
10.1.5. restrict the Processing of your Personal Data;
10.1.6. portability of your Personal Data;
10.1.7. object to Processing of your Personal Data which is based on your overriding legitimate interest and which is Processed for direct marketing purposes;
10.1.8. should you believe that your rights have been violated, you have the right to lodge a complaint with:
- Ferratum customer support service at email@example.com; or
- Ferratum data protection officer at firstname.lastname@example.org; or
- The Office of the Information and Data Protection Commissioner, Address: Floor 2, Airways House, Triq Il - Kbira, Tas-Sliema SLM 1549, Phone: 2328 7100; or
- Datainspektionen, address Box 8114, 104 20 Stockholm, phone 08-657 61 00, email email@example.com; or
- the courts should you believe that your rights have been violated.
10.2 In order to exercise your rights, please contact Ferratum on the contact details below. 11.3 Please note that you can exercise some rights by logging into your Ferratum account.
11. Amending these principles
12.1. In case you have any question regarding the Processing of your Personal Data by Ferratum or you would like to exercise your rights as a Data Subject, please contact us on contact details provided above in section 10.
12.2. Ferratum has appointed a data protection officer whom you also may contact regarding the same on the following contact details: firstname.lastname@example.org.