Privacy Policy (Debtors)

1. What is a privacy policy?

1.1. In our privacy policy we explain who is responsible for the personal data processing that takes place in our organisation. We also describe which personal data about you is processed when we receive data about you or when you provide data to us in various situations, how we process the personal data, why we do it and on what legal basis we justify the processing. We also explain which external parties may be processing personal data about you. You also receive information about your rights when it comes to our processing of your personal data and about how you can proceed to exercise your rights.

1.2. We will only process the personal data about you that is necessary for the purposes set out in this privacy policy. We have procedures describing how we store and anonymise personal data in order to make sure on an ongoing basis that your personal data will always be correct and relevant. You can read more below about how processing takes place and which data is processed.

2. Important terms

2.1. Here are explanations of some important terms that can be useful to know in order to understand our privacy policy:

a. “Personal data” means any data that relates to a natural person who can be directly or indirectly identified with the aid of this data; for example a name, an ID number such as a personal ID number, location data, an online identifier such as an IP address or one or more factors that are specific to the natural person’s identity.

b. ”Processing” means a measure or a combination of measures carried out with personal data; for example collection, registration, organisation, structuring, storage, processing or modification, production, reading, use, disclosure through transfer, dissemination or provision in another way, adjustment or merging, restriction, erasure or destruction.

c. ”Controller” is the party that either solely or in conjunction with another party determines the purpose and means of the processing of personal data and is responsible for ensuring that the processing takes place in accordance with applicable data protection regulations.

d. ”Data protection regulations” GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and is a European data protection regulation that became directly applicable on 25 May 2018 for all Member States, but also for those countries that in any way process personal data belonging to a natural person in the EU/EEA. The purpose of GDPR is to protect the personal data of natural persons. In addition to the aforementioned regulation, Finland has also enacted supplementary legislation (Tietosuojalaki 1050/2018). When we mention “the data protection regulations” in this privacy policy, we refer to both of the above regulations.

3. Who is responsible for the processing and do you guarantee that personal data is handled securely?

3.1. Axactor Finland, corporate ID number 1606758-4, is the controller for the processing of your personal data in those cases where we are performing debt collection assignments, i.e. when we have been engaged by the creditor who has a claim against you, as part of our business and when we carry out debt collection activities for receivables owned by us. In this text, Axactor Finland Oy is referred to as “we” and you as a debtor, i.e. the party towards which a debt collection or surveillance assignment is directed, as “you”.

3.2. We are obliged to carry out appropriate technical and organisational measures in order to guarantee and be able to show that our processing takes place in accordance with the data protection regulations. We have carried out many appropriate measures in order to guarantee that unauthorised parties do not gain access to your personal data.

4. From where we collect your personal data

4.1. The data is obtained, in cases where we carry out debt collection assignments, from our client who is the creditor, i.e. the party that owns the receivable for the debt to which the debt collection assignment relates. In cases where we have taken over a receivable and thereby become the new creditor, the data is obtained from the previous creditor who had a claim against you or from the debt collection company that performed the debt collection assignment for the previous creditor in respect of the receivable we have taken over. Personal data is also obtained from you during those contacts you may have with us, from any party that is representing you in the case you have with us, credit reference agencies or servers of process, and from courts and government agencies.

5. Reasons why we process your personal data

5.1. We process your personal data so that we can effectively carry out our assignment and business in general. We process personal data about you so that we can manage and make decisions in debt collection and/or surveillance cases against you in order to collect the debt that you owe us or our client, and to be able to run our business in general. We can also process some of your personal data in order to evaluate a receivable if we are considering purchasing it. The description above is thus the intention and purpose of our processing of your personal data.

6. Which personal data we process about you

6.1. The personal data we process about you includes information about who you are, your contact details, data about your financial situation and payment history, and data about debt collection measures taken and the outcome of such measures. Below is a slightly more detailed description of which items of personal data we process about you.

a. Name, personal ID number and contact details. We process personal data such as your name and personal ID number/coordination number, various kinds of customer and subscription numbers linked to individual debt collection and surveillance assignments, as well as your contact details such as address, phone number, email addresses and possibly phonerecordings (this is always asked from you beforehand and you can deny us to record) and data about and addresses for your workplace; the latter only when needed in order to issue you with a notice.

b. Data about the receivable and payments. We process personal data linked to the debt collection and surveillance assignments we are managing that involves you or that is in any other way associated with the receivable and that is needed in order that we can perform our assignment; normally data about the invoice or receivable to be collected, information about what the receivable is based on and data about how and from where payment has been made (such as details of IP address for online orders). We also process data about both debits and credits (e.g. returns) with specifications, as well as data about any securities and payments.

c. Data about financial circumstances, etc. We process personal data about your financial circumstances and other circumstances that are significant for assessing your ability to pay and other ability to fulfil commitments and, where relevant, to seize securities and the like if such exist. If we consider it necessary in order to be able to make a decision on how your debt collection or surveillance case is to be managed or to value a receivable, we process data about taxable income, debts, seizure, employer, existence of property that can be seized and other data drawn from the registers of the Finnish Enforcement Authority and other government agencies. If it is relevant for the calculation of your ability to pay, data about civil status and family circumstances may also be processed.

In cases in which you have applied for or been granted debt restructuring, we also process the data relating to the debt restructuring decision and data about your payment plan and your payments.

d. Data about convictions in criminal cases. Data about convictions in criminal cases is only processed when processing is necessary in order that legal claims can be established, exercised or defended in an individual case, which in our debt collection business is if our assignment consists of collecting damages due to a crime or to be able to assess an obligation to pay in connection with fraud in which we or our client have a claim.

e. Data we must process by law. Furthermore, we may process other kinds of personal data in order to meet legal obligations, for example accounting obligations, and in which case this involves the personal data that is required by law.

f. Other data. If you yourself submit data to us that is not any of the types described above, we will also process this data if we consider it necessary and relevant for the performance of our debt collection or surveillance assignment.

6.2. According to the data protection regulations, the processing of personal data relating to your health constitutes a special category of personal data that must be processed with greater caution than other personal data. In our debt collection business, we process such data only when processing is necessary in order that legal claims can be established, exercised or defended; for example, in connection with claims that relate to healthcare costs or when information about health is otherwise significant for the individual debt collection case.

We can also process data about your health, for example if you are unable to pay because of illness or disability, if you yourself submit the information to us and give your consent to it being processed by us.

7. The legal basis for our processing of personal data

7.1. The data protection regulations only allow us to process your personal data to the extent that we have grounds for the processing activity. Our processing of your personal data is based on one or more of the following grounds:

a. Agreement. In the event that we purchase a receivable from a former creditor, we may process your personal data in order to be able to fulfil the agreement that you and the former creditor signed and that we have taken over.

b. Legitimate interest. When we process data about a receivable that we are considering purchasing, the data is processed with the support of what is known as a balancing of interests, in which we have concluded that our interest in being able to evaluate the receivable outweighs your interest in the data not being processed. If we then purchase the receivable, the data is then processed instead for debt collection purposes and in order to fulfil the agreement with you that we have taken over. Furthermore, your personal data may be processed on these grounds in order to defend ourselves against any possible legal claim you have against us.

c. Legal obligation. Your personal data may also be processed in order to meet obligations we have under law; for example, so that we can meet accounting obligations or so that we can take action in accordance with legislation against money laundering, and so that we can provide supervisory authorities with information.

d. Consent. We may also process your personal data (e.g. health) because you voluntarily submit data to us that is not necessary for legal claims to be established, exercised or defended; we may process such data if you give your consent to the processing.

7.2. As we have stated above, we process some of your personal data with the support of a balancing of interests as the legal basis for the processing activity. The balancing of interests means that we perform an assessment through which we have concluded that our legitimate interest in performing the processing activity outweighs your interest in our not processing your personal data. What constitutes a legitimate interest is described above. If you want to find out more about how we performed this assessment, you are welcome to contact us. You will find our contact details under “Feel free to contact us”.

8. How long do we store your personal data?

8.1. Your personal data is processed for the time required for debt collection activities and to perform the debt collection or surveillance assignment. Regarding ongoing and completed debt collection cases, we follow the Finnish Data Protection Authority’s (Tietosuojavaltuutetun toimisto) guidelines, which state that the data must be stored throughout the whole time that the debt collection case is active and for at least six more years after completion of the assignment in order that inspection may take place. All data relating to debt collection cases is pseudonymized after 3 months and erased or anonymized within 6 years of a case being closed or an assignment being completed.

8.2. When we process your personal data in order to evaluate a receivable that we are considering purchasing, the data is processed during the time that the evaluation is under way and until it has been decided whether or not we will purchase the receivable.

8.3. Special categories about your health that you have submitted to us voluntarily and that you gave your consent for us to process will be processed for as long as the data is needed for its purpose, although never beyond such time as you withdraw your consent or until it is no longer needed in order to establish, exercise or defend legal claims; under all circumstances no longer than 36 months after the case has been closed or the debt collection assignment has been completed.

8.4. The processing of anonymized data, i.e. data that cannot be linked directly or indirectly to a natural person, is not covered by the limitations described in this privacy policy.

9. To whom may your data be disclosed?

9.1. The personal data we disclose about you will primarily be processed internally within Axactor and by companies in the same Group as us, although they may be disclosed to our clients, and in relevant parts to our suppliers such as credit reference agencies, foreign debt collection companies, servers of notice, postal and printing companies and other parties involved in the delivery of our services, as well as to lawyers representing us, to government agencies (e.g. to the Finnish Enforcement Authority when it is necessary for the establishment or execution of a claim and to the police’s serving of notice operations when it is necessary to serve you with a notice) and courts.

9.2. If we use a supplier to process your personal data for us, what is referred to as a processor, we make sure that we have concluded what is referred to as a data protection agreement with them so that we can guarantee that your personal data will be processed correctly and securely. If you want to find out more about which processors we use to process your personal data, please contact us.

10. Where is your personal data stored?

10.1. As we are part of the Axactor Group, we may transfer your personal data to another country. Your personal data is stored primarily in IT infrastructure on our premises or provided by one of our processors. In cases where your personal data is transferred to another country, we make sure that there are appropriate protective measures in order to comply with the data protection regulations.

10.2. The personal data will as a rule be handled and stored within the EU/EEA. Your personal data may, however, be transferred outside the EU/EEA in the event that you move abroad and we need to hire a foreign debt collection company outside the EU/EEA in order to collect the debt you owe to us or to our client. We also use third-party suppliers outside the EU/EEA that may access your data, including but not limited to the USA. We will never transfer your personal data outside the EU/EEA without guaranteeing the security and protection of your personal data. We therefore make sure that all recipients have signed the EU’s standard clauses in order to justify the transfer and to make sure that the country in question guarantees satisfactory protection in accordance with the data protection regulations. We may also transfer your personal data if it is required by law.

11. Are you the subject of profiling or automated decisions?

11.1. Profiling means the automatic processing of personal data that is used to assess certain personal properties in a natural person, in particular in order to analyse or predict, for example, this person’s financial situation, personal preferences, interests and location.

11.2. There are no automated decisions with legal consequences or that affect you to a significant degree in our business. Automated processes with elements of profiling are used in our debt collection activities. These processes do not, however, change your legal position, but are instead used to assess whether a less intrusive debt collection measure should be undertaken. Our processes are necessary so that we can effectively carry out our assignment and business in general. This means that you are not the subject of profiling or automated decisions as described in the data protection regulations.

12. Your rights

12.1. You have certain rights in respect of the processing of your personal data; these are described in more detail below. To exercise your rights or submit any questions you might have about your rights, you are welcome to contact us via the contact details provided under “Feel free to contact us”.

a. Access. You have the right to receive a confirmation of whether we are processing your personal data, and if we are doing so you also have the right to receive information about how we are processing this and to receive a copy of your personal data. To be more specific, this means that you have the right to receive information about why we are processing your personal data and how we performed a possible balancing of interests in order to process your personal data, which categories of personal data we are processing, which parties we are sharing your personal data with, how long we store your personal data and criteria for performing the assessment of the storage time, what rights you have, from which parties we receive your personal data (if we did not receive it from you) and whether the processing of your personal data includes any automated decision-making, so-called profiling, and whether your personal data has been transferred to a country outside the EEA, and in such cases how we guarantee the satisfactory security of your personal data. For any additional copies over and above those that you have the right to receive free of charge, we will make an administrative charge corresponding to the costs we incur in sending the additional copies to you.

b. Rectification. You have the right to the rectification of any incorrect personal data relating to you and to ask us to supplement any incomplete personal data.

c. Erasure (the right to be forgotten). In certain circumstances you have the right to request the erasure of your personal data. Such circumstances exist, for example, if the personal data is no longer necessary for the purposes for which it was collected or processed, or if you withdraw your consent on which the processing was based and there is no other legal basis for the processing activity.

d. Restriction. In some cases, you have the right to request that the processing of your personal data shall be restricted (frozen). Restriction means that data is marked and used only for some delimited purposes. For instance, if you believe that the personal data we are processing is not correct and request rectification you may also request that the processing of such data is restricted until we have examined the data’s correctness. The same applies if you need the data for establishment, exercise or defense of your legal claims. In that case you may, for instance, request restriction in the way that the personal data is not erased.

e. Objection. You have the right to object to processing that takes place with the support of an assignment in the public interest or legitimate interest (balancing of interests). In certain cases, however, you do not have the right to object to processing on the basis of a balancing of interests (e.g. because we must store your personal data). This is the case if we can present binding, legitimate reasons that outweigh your interests, rights and freedoms, or if it is taking place in order to establish, exercise or defend legal claims. If you submit an objection, we will review it against the reasons we have to continue processing your personal data.

f. Data portability. You have the right to have your personal data, which you have submitted to us for processing based on consent or to fulfill an agreement, sent to you in a structured, generally used and machine-readable format. You also have the right to request the transfer of this information to another controller.

g. Right to withdraw consent. For personal data that you may have submitted voluntarily (e.g. about your health) and for which you gave your consent for our processing of the data, you have the right to withdraw your consent at any time. The data will then no longer be processed if it is not required in order to establish, exercise or defend legal claims or if there is no legal obligation to store the data. In such cases, once your consent has been withdrawn it will only be processed for these purposes.

h. Submit complaints. You also have the right to submit complaints in respect of our processing of your personal data; see more about this under “Your right to submit a complaint”.

13. Your right to submit a complaint

13.1. Axactor Finland, corporate ID number 1606758-4, we take your privacy seriously. We therefore take very great care to ensure that your personal data will always be processed in a correct, secure way. If you have any questions about our processing of personal data, please feel free to contact us.

13.2. If you believe that our processing of personal data is incorrect, you have the right to submit a complaint to the Tietosuojavaltuutetun toimisto, which is the supervisory authority in Finland, or to the supervisory authority in the place where you are resident. More information is available at https://tietosuoja.fi/.

14. Feel free to contact us

14.1. If you would like to exercise your rights as described above or have any other questions about how we process your personal data, please make contact with us (Axactor Finland, corporate ID number 1606758-4,) as follows:

a. Post. Axactor Finland Oy, Porkkalankatu 20 aA, 00180 Helsinki.

b. Phone. Customer service can be contacted on tel. +358 14 362 3300.

c. Email. Customer service may be contacted at palvelu@axactor.fi and our data protection officer Petri Anttila at petri.anttila@axactor.com.

14.2. Bear in mind that email can be the subject of unauthorised eavesdropping, unauthorised additions and amendments, computer viruses or other kinds of manipulation. Before you send any confidential information to us, you should carefully consider the risks associated with sending sensitive information by email.

15. Changes to this privacy policy

15.1. We are constantly developing our services. We may therefore need to update our privacy policy from time to time. All changes to this privacy policy will be made available on our website, www.axactor.com/fi.

This privacy policy was adopted by Axactor on 15.10.2020.