Privacy Statement for Debt Collection Register (Debt Collection Customer)

1. GENERAL

CreditVisor (hereinafter referred to as “the Company” or “We/Us”) is committed to ensuring the confidentiality and data protection of the personal data it holds. This privacy statement applies to the personal data we collect about the persons subject to the debt collection assignment in connection with our debt collection register (hereinafter referred to as “the Register”). This privacy statement describes the personal data we collect and how we process it. For more information on the processing of personal data, please contact our Data Protection Officer Lauri Aittamo ([email protected]). 

We may update this privacy policy from time to time due to legal amendments or other reasons. This privacy policy was last updated on 6 March 2024. 

2. DATA CONTROLLER AND DATA PROTECTION OFFICER

Name: CreditVisor Oy 

Address: Konepajankuja 3, 00510 Helsinki

Telephone: +358 09 47655655 

Business ID: 3126049-7 

CreditVisor’s Data Protection Officer:  

Lauri Aittamo 

Email: [email protected]  

3. DATA SUBJECTS

In the Register, we process the personal data of our debt collection customers.  

4. TYPES OF PERSONAL DATA

In the Register, we process the following personal data concerning debt collection customers:  

  1. your name and personal identity code; 
  2. your contact details: telephone number, email address and postal address; 
  3. information about your debts and financial standing;
  4. your bank account information in order to refund overpayments; 
  5. your information from the credit information register (any payment defaults and other credit information entries); 
  6. your health data, only if it is relevant concerning the debt that is being collected;
  7. personal data relating to criminal convictions and offences (if the debt collection is based on a criminal conviction); 
  8. your data in the debt collection system (such as your customer number); 
  9. a record of a call with our customer service;
  10. other personal information you provide to us.

5. SOURCES OF PERSONAL DATA

We collect personal data from our client companies, credit information companies (such as Suomen Asiakastieto Oy and Dun & Bradstreet Finland Oy), authorities (Digital and Population Data Services Agency, district courts, National Enforcement Authority Finland, legal aid offices) and authorised persons (such as trustees and debt counsellors). 

We also collect personal data directly from the data subject through communications and the website. 

6. GROUNDS, PURPOSES AND EFFECTS OF PROCESSING YOUR PERSONAL DATA

Your personal data is processed for the performance of a contract to which you are a party.  This means the contract based on which you are obligated to make payments to our client. On this basis, the personal data groups numbered 1-2 and 8 are processed, as specified in paragraph 4.

The processing of your personal data is also based on the legitimate interest of CreditVisor and/or its client. We process your personal data in order to carry out our activities and fulfil our obligations. We may check the accuracy of the personal data in our possession and supplement your personal data in our system by obtaining information from various sources, such as credit information agencies and the Population Information System. Records of calls with our customer service are stored to ensure the quality of customer service. Legitimate interest is also the grounds for processing personal data in order to collect receivables based on criminal convictions. On the basis of a legitimate interest, the personal data groups numbered 1-3, 5, 7 and 9 are processed, as specified in paragraph 4.

The processing of your personal data may also be based on your consent. Your personal data is processed on the grounds of your consent when your personal data is disclosed to an authorised person. The types of personal data transferred to the authorized person are determined by the extent of the authorization you have given.

The processing of your personal data is also necessary to comply with our legal obligations. We process your personal data in order to comply with the obligations set out in the Act on the Registration of Debt Collectors (411/2018), the Debt Collection Act (513/1999), the Accounting Act (1336/1997) and the Act on Preventing Money Laundering and Terrorist Financing (444/2017). On this basis, the personal data groups numbered 1-4 and 7-8 are processed, as specified in paragraph 4.

Your health information (paragraph 4, personal data group 6) may be processed exceptionally under Article 9(2)(f) of the General Data Protection Regulation if such processing is necessary for the establishment, exercise, or defense of legal claims. Such a situation may arise if you invoke a social bar to performance regarding debt collection or if this information appears, for example, on an application for adjustment of the debts of a private individual.

If the entity that has assigned the debt collection to CreditVisor is a healthcare provider, our system will only store information about the name of the assignor and the date of your visit to that provider regarding the invoice subject to collection. Your health information will not be processed in this context unless you have invoked it yourself as mentioned in the previous paragraph.

7. REGULAR DISCLOSURES AND TRANSFERS OF YOUR PERSONAL DATA TO THIRD PARTIES

We may disclose your personal data to our customer who has issued a collection assignment concerning your debt. 

We may disclose personal data to our service providers whose right to process the data is only limited to the extent of the services they provide. These service providers include mail carrier, communications and advocacy services. We also disclose personal data to credit rating operators and authorities, when permitted by legislation. Personal data may be disclosed to third parties also if you have given your consent to the disclosure. 

Our partners may only process your personal data for the purposes of the measures to be taken on our behalf. We always ensure that our partners do not process transferred personal data for any other purposes. 

If you move abroad, your data can be disclosed to local debt collection operators in order to carry out the collection activities. In this case, only the necessary personal data is disclosed to the foreign country. 

We may also need to share your personal data with competent authorities (such as enforcement authorities) in accordance with the legislation on the processing of personal data. We may also disclose your personal data to the judicial system. 

Personal data may also be disclosed to third parties if you have given your consent to the disclosure. 

8. TRANSFERS OF YOUR PERSONAL DATA OUTSIDE THE EU OR THE EEA

We may transfer your personal data outside the European Union or the European Economic Area. If the debt collection client is located in Switzerland, we will transfer your personal data to Switzerland. 

The European Commission has decided that an adequate level of data protection is ensured in the recipient country in question (equivalence decision).

9. PRINCIPLES FOR THE RETENTION OF PERSONAL DATA

We shall retain personal data for as long as necessary for the lawful purpose for which the data was collected. The storage period according to the Accounting Act (1336/1997) is six or ten years, depending on the material. Normally, the data is stored for seven years after the end of the customer relationship.

The storage period according to the Act on Preventing Money Laundering and Terrorist Financing (444/2017) is five years from the execution of the transaction. 

According to the Act on the Registration of Debt Collectors (411/2018), the debt collector must keep the documents and data related to the debt collection activity for five years after the end of the debt collection measures, unless a longer retention period is provided for elsewhere in legislation.

Recordings of calls with our customer service are stored for two months after the call.

We also keep the data until the expiry of the limitation period for the filing of various claims in order to be able to defend ourselves against legal claims. 

10. PROFILING

We carry out automated profiling of data subjects as part of personal data processing activities when considering legal debt collection measures. 

Profiling may be used for scoring to determine the progress of your case. The score you receive is based on your credit history, payment behaviour and debts. Your credit information will be automatically reviewed.  

The purpose of automation is to identify debtors for whom legal debt collection will not be initiated. Therefore, automated profiling will not have a significant legal effect on you. 

If you consider that an individual decision based on profiling has been made incorrectly, you can request that your case be reprocessed so that one of our employees takes part in the decision-making process. 

11. RIGHTS RELATED TO THE PROCESSING OF THE DATA SUBJECT ‘S PERSONAL DATA

In accordance with applicable data protection legislation, you have the right, at any time, to:  

  • be informed of the processing of your personal data; 
  • gain access to your data and inspect the personal data we process about you;  
  • object to the processing of your personal data on grounds relating to your particular situation to the extent that our legitimate interests are the basis for processing your personal data;  
  • receive your data in a machine-readable format and transmit the data to another controller, provided that you have personally provided the data to us, we process the data on the basis of a contract or your consent and the processing is carried out automatically;  
  • request the restriction of processing of your personal data;  
  • require the rectification and completion of inaccurate personal data; and 
  • request the erasure of your personal data; 
  • withdraw your consent and object to the processing of your personal data to the extent that the processing of your personal data is based on your consent;  

If you withdraw your consent, it does not affect the lawfulness of the processing of your personal data carried out before the withdrawal. To withdraw you consent, please see section “Contacts” below. Withdrawal of your consent will have no effect other than that we will not be able to disclose your personal data to an authorised person or request your personal data from an authorised person. 

To exercise the aforementioned right, you must submit your request to us in accordance with section “Contacts” of this privacy statement. We may ask you to specify your request in writing and verify your identity before processing the request. We may refuse to comply with your request on the grounds set out in applicable law. 

You also always have the right to submit a complaint to the relevant supervisory authority or the supervisory authority of the EU Member State where you reside or work, if you consider that we have not processed your personal data in accordance with applicable data protection legislation. 

12. THE REGISTER’S PROTECTION PRINCIPLES

We respect the confidentiality of your personal data. Any manual materials shall be stored in a locked space that can only be accessed by designated persons. Personal data processed digitally shall be protected and stored in our information system, which has limited access only to persons who need such data in order to perform their duties. These persons shall use their personal usernames and passwords.  

We encrypt any personal data sent outside of our Company.

13. CONTACTS

All requests for the exercise of the above rights, questions about this privacy statement and other contacts must be made by email to [email protected]. You can also contact us via the contact function on the website or in writing at the address below: 

CreditVisor Oy 
Lauri Aittamo 
P.O. Box 104 
FI-00101 Helsinki, Finland