SECTION I
GENERAL PROVISIONS
1. The purpose of these Principles of Processing of Personal Data (hereinafter – the Principles) is to regulate the processing of personal data by Finora Bank UAB (hereinafter – the Bank) ensuring the compliance and implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation) and the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other legal acts, which determine the processing and protection of personal data
2. These Principles describe how the Bank Processes Personal Data.
3. Definitions used in these Principles:
3.1. Personal Data means any information which allows directly or indirectly to identify the Client or Bank’s employee;
3.2. Recipient of Data means a natural or legal person, public authority or another body, to whom the Bank is entitled to disclose Personal Data. Categories of Recipient of Data are provided in Section III of these Principles.
3.3. Data Processing means any operation or set of operations performed with regard to Personal Data, whether or not performed by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, use, combination, erasure or destruction;
3.4. Data Processor means natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller;
3.5. Data Controller means anyone who alone or jointly with others determines the purposes and means of the Processing of Personal Data. For the Processing of Personal Data described in these Principles, the Bank is the Data Controller;
3.6. Client means any natural person who uses, has used or has expressed a wish to use the Services or is in other way related to the use and/or user of any of the Services and/or has any other relationship with the Bank;
3.7. Services mean any services, advice and products provided by the Bank to the Client relating to financing, savings, lending, leasing or factoring.
3.8. Profiling means any form of automated processing of Personal Data, when Personal Data is used to evaluate certain personal aspects related to a natural person, in particular to analyze or predict aspects related to that natural person’s work results, economic situation, state of health, personal hobbies, interests, reliability, conduct, location or movement. Profiling is used, for example, to perform an analysis, to fulfill a contract, for direct marketing purposes, to improve information systems, based on the Bank’s legitimate interest or the Client’s Consent;
3.9. Special Category Data means personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the purpose of specifically identifying a natural person, health data or data about a natural person’s sex life and sexual orientation;
3.10. Consent means any freely given, specific and unambiguous expression of the will of a properly informed data subject by means of a statement or unequivocal actions by which he agrees to the processing of Personal Data related to him.
4. The Bank collects and processes Personal data of such categories as:
4.1. Personal identification data such as name, personal identification number, date of birth, data of the identification document, home address, picture of your face;
4.2. Contact data such as address, phone number, email address;
4.3. Financial data such as ownership, origin of funds, transactions, credits, income, financial goals, liabilities, assets;
4.4. Account data such as bank account number;
4.5. Data that is necessary for the Bank to apply the necessary measures in the field of money laundering and terrorist financing prevention and to ensure the implementation of international sanctions, including determining the purpose of business relations with the Client and whether the Client is a person participating in politics, as well as the source of the origin of assets;
4.6. Data on the Client’s transaction parties and business activities;
4.7. Data obtained and/or created while performing an obligation arising from the legislation such as data that the Bank is required to report to authorities, for example, tax authorities, courts, law enforcement agencies including details of income, credit commitments, property holdings and debt balances;
4.8. Family data such as information about the Client‘s family;
4.9. Demographic data such as country of residence, date of birth and citizenship;
4.10. Professional data such as educational or professional career; 4.11. Data about the relationship with legal entities such as data submitted by the Client or obtained from public databases or third party as a service provider for the execution of transactions on behalf of a particular legal entity
Section II
Processing of personal data
5. In the course of its activities, the Bank collects and processes Personal Data of the following persons:
5.1. Bank employees and candidates for employees;
5.2. Persons managing the Bank, members of management, supervision (including the Bank’s Supervisory Board, Audit Committee) or other bodies, shareholders, final beneficiaries;
5.3. Persons who submitted applications to the Bank for the provision of Services (applicants), guarantors of the applicants’ obligations, other persons specified in the applications, managing persons, members of management, supervisory or other bodies, persons directly or indirectly controlling them, shareholders, final beneficiaries;
5.4. Bank contractors, service providers, members of management, supervision or other bodies, persons directly or indirectly controlling them, shareholders, final beneficiaries;
5.5. Representatives, spouses, or persons related to the persons specified in clauses 5.2 – 5.3 of these Principles.
6. The Bank processes Personal Data for the following purposes:
6.1. Performance of agreements:
6.1.1. conclusion of employment contracts with Bank employees;
6.1.2. internal administration;
6.1.3. in order to take action at the Client’s request before concluding a contract, in order to conclude, fulfill or terminate a contract to which the Client is one of the parties.
6.2. Compliance with legal obligation:
6.2.1. to handle Clients‘ complaints;
6.2.2. prevention of money laundering, enforcement of tax liability control and declaration obligations, and risk management;
6.2.3. perform creditworthiness or other risk assessment in order to provide the Services, limit risk and comply with the capital sufficiency requirements applied to the Bank;
6.2.4. identify, investigate and report suspicious transactions;
6.2.5. determine and verify the Client’s identity, ensure that the Personal Data is correct and complete, verifying and refining them using data from public and internal data sources;
6.3. Legitimate interest, in order to:
6.3.1. carry out credit and risk assessment in order to determine what Services and under what conditions can be offered to the Client, make decisions, monitor the loan portfolio, as well as reduce or eliminate the Bank’s potential risks;
6.3.2. perform a creditworthiness or other risk assessment in order to provide financing or other Services to the Client;
6.3.3. assert, enforce, defend, transfer or sell financial claims, as well as store information for this purpose;
6.3.4. to protect the legitimate interests of the Client, the Bank, the Bank’s employees, by implementing the necessary security measures;
6.3.5. to support, expand, evaluate and improve the Bank’s activities, Services and Client experience;
6.4. Consent, when:
6.4.1. Personal Data is processed for the purpose of direct marketing;
6.4.2. telephone conversations are recorded in order to ensure the quality of the Services;
6.4.3. the image of the face of the Client (his representative) is used and a video is made in order to identify the Client (his representative) who seeks to become a client of the Bank remotely;
6.4.4. processing of personal data of job candidates, when candidates to positions offered by the Bank applying to a work position at the Bank either by submitting directly to the Bank their CV, motivation letters, etc., or through a hiring agency. The Bank process such Personal Data on the ground of consent which job candidates express by submitting the respective data;
6.4.5. Once the Clients visit the website of the Bank (www.finorabank.eu), the Bank processes IP address as well as other network data of the Client upon the consent of the Client;
6.4.6. Upon consent of the Client and having grounds and purpose to Finora group companies.
7. To manage Personal Data automatically, the Bank uses the following IT programs: Dropbox, Google Drive, MS Excel, Word, Outlook and other programs used in the Bank’s activities. Personal Data of Bank employees can also be provided and processed in the following IT systems of state institutions: Sodra database, VMI electronic declaration system, Sodra electronic policyholder system, Electronic statistical data preparation and transmission system, VMI (declaration data), VMI (illegal work), Electronic government portal, etc.
8. The Bank carries out Profiling and automated decision-making in order to improve the Clients’ experience using the Services, for example by adapting the Services to devices or preparing relevant Service offers for the Clients. The Bank makes automated decisions in processes such as creditworthiness assessment, risk management, transaction monitoring, anti-fraud, taking into account the requirements of legal acts in the areas of money laundering and terrorist financing prevention and financial services.
9. The period of storage of Personal Data is determined taking into account the specific purposes for which the Personal Data were collected, or the period determined by legal acts. Personal Data is processed during the period of business relations with the Client, and storage terms may be determined and applied taking into account the legitimate interest of the Bank. Personal Data are stored in the Bank for 10 years from the end of the business relations with the Clients, except in cases where legal acts determine other storage terms.
10. The Bank processes Special Category Data only in compliance with the conditions and requirements for the processing of such personal data provided for in Article 9 of the Regulation.
SECTION III
BASIC PERSONAL DATA PROCESSING AND DISCLOSURE REQUIREMENTS
11. In performing its functions and processing Personal Data, the Bank, among other things, complies with the following basic requirements for the processing of Personal Data: (i) Personal Data is collected for the purposes defined in these Principles and then processed in ways consistent with these purposes; (ii) Personal Data is processed accurately, fairly and lawfully; (iii) Personal Data must be accurate and, if necessary for the processing of personal data, constantly updated; inaccurate or incomplete data must be corrected, supplemented, destroyed or their processing stopped; (iv) Personal Data must be identical, appropriate and only to the extent necessary for their collection and further processing; (v) Personal Data is stored in such a form that the identity of the data subjects can be determined no longer than is necessary for the purposes for which these data were collected and processed; (vi) Personal Data is processed in accordance with the personal data processing requirements established in the Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal acts.
12. The Bank receives Personal Data only in accordance with the procedure established by legal acts, receiving them both directly from data subjects and from third-party data controllers.
13. In order to ensure the provision of Services or in other cases where necessary, the Bank has the right to disclose Personal Data to Data Recipients. Such Data Recipients are:
13.1. Companies belonging to the Finora group;
13.2. state institutions, other persons performing the functions assigned to them by law, such as supervisory institutions, tax administration, law enforcement institutions, bailiffs, notaries, courts, non-judicial dispute resolution institutions;
13.3. persons providing consultations on financial and legal issues, performing Bank audits or providing other services to the Bank;
13.4. third parties managing registers (including databases of financial obligations and income, Register of Residents, Register of Legal Entities, Register of Real Estate, register of motor vehicles, joint files of debtors or other registers in which Personal Data are processed) or which mediate in the provision of Personal Data from such registers;
13.5. persons and companies carrying out debt collection, persons taking over rights and obligations under contracts, persons carrying out the administration of insolvency proceedings;
13.6. persons who ensure proper fulfillment of the Client’s obligations to the Bank, such as guarantors, pledgers, etc.; 13.7. other persons related to the provision of Services, such as providers information technology, telecommunications, archiving, postal services, providers of services provided to the Client, sellers and other authorized parties.
14. The Bank will not share more Personal data than necessary for the particular purpose of Processing. Recipients may Process the Personal Data as Data Processors and/or as Data Controllers. When the Recipient is Processing Client’s Personal data on its own behalf as a Data Controller, the Recipient is responsible for providing information to data subjects on such Processing of Personal data. In such case the Bank advises the Client to contact this Recipient for information on the Processing of Personal Data by the Recipient.
SECTION IV
IMPLEMENTATION OF THE RIGHTS OF THE DATA SUBJECT
15. The Bank ensures the implementation of the rights of the data subject, including the Bank’s employees, i.e. so that the data subject is guaranteed the following rights:
15.1. to receive information on whether the Bank processes his personal data and, if so, to get acquainted with them;
15.2. demand correction of his Personal Data, if they are incorrect, incomplete or inaccurate;
15.3. demand deletion of his Personal Data;
15.4. demand restrict the processing of his Personal Data;
15.5. not agree to the processing of his Personal Data, when the processing of Personal Data is based on the legitimate interest of the Bank;
15.6. to receive the Personal Data provided by him, which are processed on the basis of his Consent or contract performance, in writing or in a normal computer-readable format and, if possible, transfer such data to another service provider (right to data portability);
15.7. withdraw your Consent to process Personal Data; 15.8. not consent to be subject to fully automated decision-making, including Profiling, if such decision-making has legal consequences or similar significant impact on the Client. This right does not apply in the event that such decision-making is necessary for the purposes of concluding or executing a contract with the Client, is permitted by legislation or the Client has given explicit consent to it.
16. The data subject, who has submitted to the Bank a document confirming the identity of the person or in accordance with the procedure established by legal acts or electronic means of communication that allow the proper identification of the person, having confirmed his personal identity, has the right to familiarize himself with his data processed by the Bank and to receive information from which sources and what his personal data collected, for what purpose it is processed, to which data recipients it is provided and has been provided in the last one year.
17. The Bank, as a data controller, upon receiving a request from a data subject, shall immediately, but in any case, no later than within one month of receiving the request, provide the data subject with information on the actions taken upon receipt of the request in accordance with Articles 15-22 of the Regulation. That period may be extended by a further two months if necessary, depending on the complexity and number of requests. When the data subject’s requests are manifestly unreasonable or disproportionate, in particular due to their repetitive content, the Bank may either: (i) charge a reasonable fee, taking into account the administrative costs of providing the information or notifications or actions requested; or (ii) may refuse to act on the request.
18. If the data subject, having familiarized himself with his personal data, determines that his personal data is incorrect, incomplete or inaccurate, and applies to the Bank, the Bank immediately checks the Personal Data and, at the written request of the data subject, immediately corrects incorrect, inaccurate, supplements the Bank’s incomplete processed Personal Data and/or suspends the processing of such Personal Data, with the exception of storage, until incorrect, inaccurate, incomplete Personal Data is corrected or Personal Data is destroyed.
19. The Bank shall immediately notify the data subject of the performed or not performed correction, destruction or suspension of Personal Data at his request.
20. Information may be provided to the data subject orally, depending on his request, by allowing access to the document, by providing a certificate, an extract of the document or a paper copy of the document, electronic media, access to the information file. If the form of information submission is not specified in the request, the Bank shall submit it in the same form as the request was received.
21. The Client has the right to submit a complaint regarding the processing of Personal Data to the State Data Protection Inspectorate, whose website address is www.vdai.lrv.lt, if the Client believes that his Personal Data is being processed in violation of his rights and legitimate interests in accordance with the legislation governing the protection of personal data.
22. The Client has the right to apply to the Bank in order to submit requests, withdraw the given Consents, submit requests regarding the implementation of the data subject’s rights and complaints regarding the processing of Personal Data. The Bank’s contact details are published on the Bank’s website www.finorabank.eu.
SECTION V
FINAL PROVISIONS
23. The Bank has the right to unilaterally amend the Principles at any time, informing the Clients about it on the Bank’s website, by text message or e-mail no later than one month before the changes take effect, unless the changes are necessary to ensure compliance with legal acts