Valid from: 12 January 2022
- EfTEN implements appropriate organisational, physical and information technology security measures to ensure the protection of Customer Data from improper Processing, disclosure or
- EfTEN only allows access to Customer Data to appropriately trained employees and processors and requires them to comply with appropriate confidentiality and security measures. An employee is entitled to process Customer Data only to the extent necessary for the performance of their assigned tasks.
- EfTEN and EfTEN’s employees will keep the Customer Data confidential and will be liable for any breach of this obligation.
- For the purposes of this procedure, capitalised terms have the following meanings:
- The Data Protection Regulation is Regulation (EU) 2016/679 of the European Parliament and of the Council;
- EfTEN means EfTEN Capital AS and the funds and other legal persons managed by EfTEN Capital AS, in which EfTEN Capital AS directly owns more than 50% of the shares or interests of the respective legal person or over which EfTEN Capital AS otherwise has
- A Customer is a natural or legal person who has expressed a wish to use an EfTEN service or who uses or has used an EfTEN service or who is otherwise connected to a service provided by EfTEN or who visits the EfTEN websites.
- Customer Data means any information about the Customer that is in EfTEN’s possession (including the personal data, contact details, transaction data, etc. of the Customer and the Customer’s representatives), as well as information collected from public databases and public channels and information lawfully obtained from third parties (e.g., registers, the Customer’s business partners).
- Processing means any operation that is performed with Customer Data, including the collection, storage, retention, organisation, use and transfer of Customer Data.
- For the purposes of this procedure, capitalised terms have the following meanings:
Types of Customer Data, purposes of Processing and legal basis for Processing
- EfTEN collects Customer Data from the Customer as well as from third parties (including public and private registries and, with the Customer’s consent, e.g., from the Customer’s business partners and other persons) when the Customer uses, has used or intends to use EfTEN’s services or visits EfTEN’s websites.
- For the Processing of Customer Data based on the Customer’s consent, EFTEN will ask for consent on the relevant application or requests, and will allow the Customer to give their consent
- The types of Customer Data processed are in primarily (but not limited to) the following:
- personal data, including name, personal identification code, date of birth, place of birth, nationality, identity document details, residence, language of communication, field of activity, place of work, profession, education, marital status, dependants;
- contact details, including address, telephone number, e-mail address;
- financial data, including income, liabilities, past payment history, assets, debts, including data from payment default registers, current account details and transactions on the current account, pension register details;
- data relating to securities, including number of shares or units, securities transactions, securities orders, securities information, value of transactions, quantity, volume, LEI code, suspicious transactions;
- tax residence details, including country of residence, tax identification number;
- origin of assets, including beneficial ownership, details of the Customer’s counterparties and business activities;
- data relating to transactions and contracts, including data relating to contracts concluded, amended or terminated, performance of contracts with the Customer and data relating to breaches;
- data on Customer behaviour and satisfaction, including enquiries and complaints made, services used, responses to surveys;
- data relating to participation in consumer games and promotions, including data on prizes won in consumer games and on participation in promotions;
- data relating to reliability, including payment history, data related to money laundering, terrorist financing or organised crime;
- data related to customer communication, including communication-related data pertaining to visits to EfTEN’s websites and other EfTEN communication channels (telephone, email, messaging, social media, etc.), visual and/or audio recordings collected when the Customer visits EfTEN’s offices or other places where EfTEN offers its services;
- details of the insured event, including the description, time and place of the event, cause of damage, persons who sustained damage, photos and documents of the damaged object;
- data obtained in the course of carrying out a legal obligation, including data resulting from inquiries by investigative bodies, notaries, tax authorities, bailiffs and courts, and from claims by bailiffs.
- EfTEN Processes Customer Data for the following purposes and on the following bases:
- Establishing customer relationships and communicating with the customer, identification purposes, identifying the beneficial owner, applying the ‘know your customer’ principles (basis: contract or performance of legal obligation);
- Customer profiling, the assessment of certain personal characteristics of a Customer in order to analyse, e.g., the Customer’s economic situation, preferences, interests. EfTEN uses profiling, e.g., for risk assessment, legal compliance, due diligence, compliance with requirements of anti-money laundering and combating the financing of terrorism, suitability and appropriateness assessment, probability of insolvency assessment, direct marketing, (basis: EfTEN’s legitimate interest, the performance of legal obligations, or the Customer’s consent).
- Provision of services of a management company, including risk mitigation and risk management (basis: contract or performance of legal obligation or legitimate interest of EfTEN);
- Assessment of the Customer’s solvency (basis: contract or performance of legal obligation);
- Conclusion and performance of a contract to be concluded or already concluded with the Customer (basis: contract, performance of legal obligation or legitimate interest of EfTEN);
- Responding to Customer inquiries and applications (basis: contract, performance of legal obligation or legitimate interest of EfTEN);
- Analysis of customer relations, correction and updating of customer data; compilation of statistics (basis: contract, performance of legal obligation or legitimate interest of EfTEN);
- Provision of services, marketing (including direct marketing via the website contact form) and development of services (basis: performance of legal obligation or EfTEN’s legitimate interest or the Customer’s consent). Customer Data collected through the website contact form for marketing purposes will be used to contact the Customer for marketing purposes, if, based on previous contact by EfTEN, it can be assumed that the Customer is interested in the respective offer and has not expressed dissatisfaction or objection to such contact. The Customer has the right at any time to prohibit the processing of their data for direct marketing purposes, as well as to refuse advertisements and offers by informing EfTEN thereof. Information about the possibility to opt-out of advertising and offers is also included with the respective offer or advertisement. At that, general and/or introductory or additional information about EfTEN’s services, or information about changes to the (contractual) terms and conditions, or information related to the performance of the contract concluded with the Customer (e.g., notifications about arrears, termination of the contract, etc.) is not considered marketing. The Customer cannot generally refuse to receive such information;
- Use and improvement of EfTEN’s websites, including website traffic statistics using Google Analytics, Facebook Pixel with the aim of improving user experience on the website and for more effective marketing activities (basis: EfTEN’s legitimate interest, the performance of legal obligations, or the Customer’s consent);
- Carrying out prize draws and surveys (basis: EfTEN’s legitimate interest or the Customer’s consent);
- Protection of persons and property (basis: contract, performance of legal obligation or legitimate interest of EfTEN);
- Debt management and claims handling (basis: contract, performance of legal obligation or legitimate interest of EfTEN);
- Performance of legal obligations, including obligations under the Money Laundering and Terrorist Financing Prevention Act, transaction monitoring, suitability assessment (basis: performance of legal obligation).
- Cookies are used to collect information about how the Customer uses the website in order to make the website work more efficiently and to provide the Customer with a better user
- Users can delete and/or block cookies stored on their devices by changing the relevant settings of their browser. If Cookies are not used, the website may not function as intended and/or some functionalities may not be available to the Customer.
- In addition, websites may use pixels (pixel tags, web beacons) to track the use of the website, in which case no personally identifiable information is processed.
Video surveillance and video recordings
- EfTEN uses video surveillance for the protection of persons, property and detect offenses. The camera does not record sound or monitor a specific person, but only a specific area (e.g., a courtyard, a public area in a shopping centre, entrances, parking lots, bicycle storage areas) and what is happening The security camera only monitors the area that needs to be filmed to fulfill the purpose. On the territory of the property or in the building where a security cameras is installed, information about the presence of cameras is displayed. If the customer is allowed to see a snapshot of the specified area from the video camera through the software application (app), the corresponding information is also marked in the app. In no case is it possible to follow persons out of curiosity or just in case.
- The controller of the video recordings resulting from video surveillance and of the Customer Data processed through the video recordings is the respective subsidiary of the EfTEN Fund, that is the owner of the security cameras located on the respective property.
- Access to video recordings is restricted to EfTEN employees and security service providers who have the right to access the video recordings in the course of their functions or duties.
- As a rule, video recordings will be kept for a maximum of 30 calendar days, unless the need for longer storage is related to ongoing proceedings for the protection of persons and property, or is due to a longer time limit laid down by law.
- A person has the right to access the recording concerning them by submitting a written request to the controller. The person may put in a request for a copy, which will be reviewed within 30 (thirty) days and, if possible, a decision will be taken to issue a copy in accordance with § 24 of the Personal Data Protection Act. The controller is under no obligation to grant a request for a copy in every case and at all times. For example, the recording may contain personal data of other persons, in which case they have the right to refuse to give a copy. When a copy is issued, all third parties must be rendered unidentifiable, the costs of which are to be borne by the person requesting the copy.
- The original version of the security camera recording may be handed over in the course of the offence proceedings, at the request of the authority prosecuting an offence pursuant to law.
Transmission of Customer Data
- EfTEN discloses and/or transmits Customer Data:
- to funds belonging to the same group as EfTEN or that are under its management, including subsidiaries of the funds, in order to comply with the requirements necessary for risk management and mitigation and other statutory requirements, including due diligence measures provided for in the Money Laundering and Terrorist Financing Prevention Act; to enter into and perform contracts; to prepare reports and conduct statistical research and analysis on customer groups, market shares of the service and other financial indicators; or to design and develop EfTEN’s information systems. Data is transferred either to comply with a legal obligation (e.g., risk management, identification), for legitimate interest (e.g., updating of Customer Data) or with the consent of the Customer;
- to service providers to whom EfTEN has subcontracted its activities (e.g., administrative service providers, internal audit service providers, marketing service providers, server and cloud service providers, email service providers, monitoring service providers, e-invoicing partners, insurance and claims handling partners, archive service providers, debt collection partners). In such cases, the partners act as EfTEN’s processors and have no separate right or legal basis to process Customer Data. All Processing of Customer Data is carried out on behalf of and under the responsibility of EfTEN;
- to persons and organisations involved in the provision of services and the performance of contracts with Customers (e.g., lenders, guarantors, security holders, and credit institutions). Data is transferred for the purpose of performance of a contract concluded with the Customer, for the transfer of a contract concluded with the Customer or for the assignment of contractual claims or in case of breach of contract by the Customer; as well as on the basis of a legitimate interest of EfTEN or a third party. These persons process Customer Data in accordance with their own rules and under their own responsibility;
- to EfTEN consultants or other service providers (e.g., auditors, legal advisors). Customer Data is transferred to EfTEN for the purpose of providing services, including representing EfTEN in litigation, providing legal advice, and auditing. The legal basis for the transfer of data is the legitimate interest of EfTEN;
- to persons keeping registers (e.g., civil registers, business registers, credit registers, payment default registers). Data is transmitted and inquiries are made on the basis of legislation or a contract concluded with the Customer in order to ensure and verify the accuracy and integrity of the Customer Data or the implementation of pre-contractual measures or the performance of a contract concluded with the Customer and the updating of data; as well as to enable third parties to assess the Customer’s payment behaviour and creditworthiness;
- in the event of assignment of a claim to a new creditor;
- to other persons on the basis of the Customer’s voluntary consent.
- To perform concluded contracts, EfTEN may use third parties outside the Republic of Estonia who Process Customer Data in accordance with the law of their country of location.
- EfTEN is obligated to disclose and transfer Customer Data to comply with its obligations under applicable law (e.g., to law enforcement authorities, civil law notary, bankruptcy trustee, Tax and Customs Board, Financial Intelligence Unit, and the Financial Supervision Authority).
- As a general rule, EfTEN will not transfer Customer Data outside the European Economic Area, unless there is a legal basis for doing so and by implementing measures to ensure secure data transfers and, where possible, equivalent protection of Customer Data as that which applies within the European Economic Area. If equivalent safeguards cannot be applied, the Customer Data will be disclosed, if necessary, for the performance of a contract with the Customer, or at the Customer’s request.
- EfTEN discloses and/or transmits Customer Data:
Retention of Customer Data
- EfTEN will not Process Customer Data for longer than is necessary to fulfil the aims of the Processing of such data.
- EfTEN generally retains Customer Data until the expiry of the limitation period for any claims arising from the customer relationship, unless the law imposes an obligation to retain Customer Data for another period.
Rights of the Customer in relation to the Processing of Customer Data
- The Customer is entitled to:
- be informed whether EfTEN Processes Customer Data relating to them, and to receive a copy of their own Customer Data when EfTEN Processes the Customer Data. The Customer’s right to access their Customer Data may be limited by law, the rights to privacy of others, and EfTEN’s rights;
- request the correction of inaccurate or incomplete Customer Data if it has changed or is otherwise inaccurate. In the event of a change in the Customer Data, we request that you notify EfTEN thereof immediately and, upon EfTEN’s request, provide a document proving the change in the Customer Data;
- not to allow the use of their Customer Data for sending offers. To this end, the Customer has the possibility, for example, to remove themselves from the relevant list upon receipt of a marketing letter or offer, or to contact the relevant EfTEN company of which they are a Customer;
- withdraw the consent given to EfTEN for the Processing of Customer Data. In such a case, the lawfulness of the Processing carried out prior to the withdrawal of consent is not affected by the withdrawal of consent. In the event of withdrawal of consent, EfTEN will no longer Process the Customer Data for the purposes for which it was processed on the basis of the Customer’s consent;
- object to the Processing of their Customer Data, if EfTEN processes these data on the basis of its legitimate interest. In such a case, EfTEN is not entitled to further process the Customer Data, unless the interests of EfTEN outweigh the possible interference with the rights of the Customer (e.g., performance of legal obligations);
- request the cessation of the Processing of their own Customer Data if the Processing of Customer Data is unlawful, i.e., EfTEN has no legal basis for the Processing of such data;
- request the erasure of their own Customer Data, for example, if EfTEN does not have the right to Process such data or Processes data on the basis of the Customer’s consent and the Customer withdraws their consent. Erasure cannot be requested when or to the extent that EfTEN has the right or the obligation to process the Customer Data (e.g., to comply with a legal obligation, to perform a contract, to pursue a legitimate interest of EfTEN);
- request the restriction of Processing of their own Customer Data, e.g., at a time when EfTEN is assessing whether the Customer has the right to have their Customer Data erased;
- receive their Customer Data which they have provided to EfTEN and which is Processed on the basis of consent or for the performance of a contract, electronically in a commonly used machine-readable format and, if technically feasible, transmit such data to another service provider;
- in the event of a request for modification or correction of data, complaints or questions, the customer has the right to contact EfTEN companies at the following contact details: EfTEN Capital AS, address Lauteri 5, Tallinn 10114, phone 655-9515, e-mail email@example.com.
- Contact details of the Data Protection Specialist assigned to the Customer:
Data Protection Specialist in Estonia: letter designated ‘Data Protection Specialist’, e-mail firstname.lastname@example.org; Data Protection Specialist in Latvia: letter designated ‘Data Protection Specialist’, e-mail email@example.com; Data Protection Specialist in Lithuania: letter designated ‘Data Protection Specialist’, e-mail firstname.lastname@example.org.
- EfTEN responds to the Customer’s request relating to Customer Data without undue delay, but no later than one month from the date of receipt of the request. If the circumstances require clarification or additional explanations prior to responding to the Customer’s request, EfTEN may extend the deadline for responding based on the circumstances, also informing the Customer of the extension of the deadline for responding.
- Disagreements over the processing of personal data are resolved primarily through negotiation. Failing that, one can lodge a complaint with the Data Protection Inspectorate (Tatari 39, 10134 Tallinn) or a complaint with the court.
- The Customer is entitled to: