SMART FACTORING EOOD PRIVACY AND DATA PROTECTION POLICY
1. Purpose of the policy
Dear existing and potential customers,
Protecting your personal data is important to us. We have therefore taken the necessary legal, organisational and technical measures to process your personal data in a lawful, appropriate and transparent manner. This SMART FACTORING EOOD Personal Data Processing Policy explains what personal data we shall process about you; for what purposes and on what grounds the information shall be processed; what recipients we might provide it to and for what periods we shall keep it.
We encourage you to read this information carefully to learn more details about how your personal data is being processed when as a representative and/or employee of a customer, a potential customer, a person associated with a customer, a counterparty of a customer or a customer of our customer, a debtor of a customer, our partners, and visitors to our website. No matter the purposes and on the grounds your personal data is processed, SMART FACTORING EOOD will treat it with the same care. This document also contains information about your rights and how you can exercise them.
SMART FACTORING EOOD may update this privacy notice, the latest version of which can be found at: www.smart-factoring.com
SMART FACTORING EOOD shall notify you of any material changes to this information on its website or through another communication channel.
You can find more information about Bulgarian legislation on personal data protection on the website of the Commission for Personal Data Protection at: www.cpdp.bg
2. Administrator details
SMART FACTORING EOOD is a company registered in the Commercial Register at the Registry Agency with UIC 207214254. The registered office and the address of the registered office of “SMART FACTORING” EOOD (the Company) is located at: Republic of Bulgaria, Sofia, 1000, “Triaditsa” district, 2 “Positano” sq.
The Company performs the following business activities:
Factoring activity consisting of the acquisition of receivables arising from the supply of goods and/or services, collection of receivables, factoring operations to support intercompany commercial relationships, which includes the collection, management and redemption of payments, the financing of obligations with and without security, including the collection and closure of receivables granted by third parties, the obtaining and/or granting of commercial credit and loans related to the financing of private parties with the accompanying guarantees in agreements. To carry out the activities referred to in Article 2(2)(12) and Article 3(1), items 1 and 2 of the Credit Institutions Act, the company shall be entered in the public register of the Bulgarian National Bank.
The goal of SMART FACTORING EOOD is to support the financial stability, growth and success of Bulgarian companies in various sectors of the economy by providing them with opportunities to access working capital to meet their cash flow needs that will enable them to operate more efficiently, expand their customer base and increase sales and profits.
SMART FACTORING EOOD is a financial institution registered in the Register of Financial Institutions under Article 3a of the Credit Institutions Act.
For inquiries related to the processing of personal data, you can contact us at the following address: [email protected]
а. ‘Personal data’ means any information relating to an identified natural person or an identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, psychological, economic, cultural or social identity of that natural person.
b. ‘Processing of personal data’ means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
c. ‘Data controller’ means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;
d. ‘Data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
e. ‘Third party’ means a natural or legal person, public authority, agency or other body other than the data subject, the data controller, the data processor and the persons who, under the direct authority of the controller or the processor, are entitled to process the personal data;
f. ‘Special categories‘ of sensitive personal data are (‘sensitive personal data‘) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation;
g. ‘EU Regulation 2016/679‘ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
h. ‘Factoring‘ according to §1, item 11 of the Additional Provisions of the Corporate Income Tax Act, “factoring” is a transaction for the transfer of lump-sum or periodic cash receivables arising from the supply of goods or services, regardless of whether the person acquiring the receivables (the Factor) assumes the risk of collecting those receivables against remuneration.
4. Principles of data processing
SMART FACTORING EOOD, as a data controller, in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability, processes personal data of the following categories of data subjects: individuals who are representatives and/or employees of, or are in any other legal or factual relationship with:
– our client;
– a potential client;
– a person related to our client or potential client;
– a contractor of our client or a client of our client;
– a debtor of our client
– our partners.
5. Types of personal data processed
SMART FACTORING EOOD may process various types of personal data relating to your physical, family or economic identity, grouped into the categories set out below. Personal data may be obtained from you or collected from third parties. Depending on the specific products and/or services you use, or the purposes for which you contact or relationship with the company, SMART FACTORING EOOD processes some or all of the data listed.
5.1 Personal data cathegories
5.2 In a number of cases we collect and process your data when you are not our customer.
In all instances where we access and process your data, we undertake to comply with the principles described in this document and the requirements of applicable data protection legislation.
5.3 Public data and data acquired through third parties
SMART FACTORING EOOD from time to time processes public information, such as:
SMART FACTORING EOOD may also receive your personal data from third parties, such as:
Please note that SMART FACTORING EOOD is an obligor within the meaning of Article 4 of the Anti-Money Laundering Measures Act (“AMLA”) and may collect and process copies of identity documents and other official documents in order to fulfil its obligations.
5.4 CCTV Footage / Security Camera Videos
SMART FACTORING EOOD may use security measures and CCTV cameras inside and outside its office premises. The Company fully complies with the statutory requirements for the installation and use of CCTV cameras. If CCTV cameras are installed in the Company’s office, you will be notified by a sticker displayed in a prominent position. The recordings from CCTV cameras inside and outside the Company’s offices (indicated by a sticker) are kept for 90 (ninety) days. They may be kept for longer in cases where:
5.5 Direct Marketing
We collect your personal data when you sign up for our newsletter, which is distributed as part of our email marketing program.
For direct marketing purposes, we use and process your data to inform you about our latest products and services and to offer you:
The information we hold about you consists of the data you have provided to us when using our products and services, such as that which we collect when you use information and communication technologies (for example: visit the Company’s website) to access our products, services and communication channels.
If you do not wish to receive marketing communications, you have the right to object to the processing of your personal data for direct marketing purposes at any time by sending an email to the following email address [email protected] or by standard mail to the Company’s physical address listed above.
6. Purposes and legal grounds under which SMART FACTORING EOOD processes personal data
The personal data collected by SMART FACTORING EOOD in its capacity as Data Controller is processed for different purposes and on different legal grounds as follows:
6.1 Purposes for which the basis for processing your personal data is an obligation arising from law (legal obligation):
On the legal basis of Art. 6, item “c” of EU Regulation 2016/679, the Company processes personal data in order to comply with the legal obligations imposed on it as a controller by the Credit Institutions Act, the Anti-Money Laundering Measures Act, the Anti-Terrorist Financing Act, the Tax and Social Security Procedural Code, the Commercial Act, the Obligations and Contracts Act, the Civil Procedural Code, the other applicable legal and regulatory framework governing the Company’s activities, as well as the country’s financial, tax, legal and regulatory framework.
a. Establishing the identity of the person representing the client and verifying his/her identification – the basis for processing data for this purpose is the AMLA and its Implementing Rules.
b. Implementation of controls to prevent money laundering, embargo and anti-terrorist actions – The processing of your data is related to measures and actions taken by the Company to prevent, detect, investigate and report suspicious transactions to the financial intelligence authorities under the AMLA and its implementing regulations.
c. Provision of information required by the Bulgarian National Bank in connection with the implementation of supervisory actions against the Company as a financial institution entered in the Register of Financial Institutions under Article 3a of the Credit Institutions Act.
6.2 Purposes for which the processing of your personal data is based on the performance of a contractual relationship:
SMART FACTORING EOOD processes your personal data in accordance with Art. 6, item “b” of Regulation (EU) 2016/679 where the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the person to conclude a contract. Where you take steps to enter into a contract with the Company and/or enter into a contract with the Company, it is necessary for you to provide information constituting personal data in order for the Company to take the steps to provide the product or service you wish to be provided with the contract. Failure to provide your personal data will result in the controller being unable to provide the services you have requested by taking steps prior to entering into a contract
а. Drafting up contracts at your request – in order to conclude a contract with you, as a debtor or guarantor (natural person) under a factoring contract, the Company must have your specific personal data (e.g. name, date of birth, ID number, ID card number), as well as your contact details. The Company may also request additional information from you, conditional on the nature of the services covered by the contract.
6.3 Purposes for which the processing of personal data is based on consent obtained from the customer:
By way of exception, SMART FACTORING EOOD may process your personal data pursuant to Art. 6, item “a” EU Regulation 2016/679, for example, when conducting seminars, awareness campaigns, distribution of specialized and focused information materials, conducting product or market research, marketing activities (direct marketing).
а. Sending marketing information (direct marketing) – to send you relevant notifications and/or our email – newsletter/communications/updates relating to our business that may be of interest to you, by post or, where you have expressly consented to this, by email or similar technology that you have specifically requested, if you have requested it (you can inform us at any time if you no longer require marketing information. Please refer to section 5.5 listed above).
6.4 Purposes for which the processing of personal data is based on the legitimate interests of the data controller (legitimate interest):
а. Collection/recovery of acquired receivables under factoring contracts.
b. Assignment of acquired receivables under factoring contracts to third parties.
c. Litigation – Establishing, exercising and protecting the rights of SMART FACTORING EOOD – The Company processes the data of its customers in order to protect its rights in court/litigation, in the settlement of claims, including with the help of external lawyers/lawyers, etc. This is the case where your personal data is processed in connection with the administration of information concerning litigation, court orders, applications and judgments
d. Internal reporting, analysis and development of products and services offered – The Company uses the personal data of its customers in order to improve its market position by offering new or better services and innovative products while optimizing internal processes.
e. Risk assessment as a fraud prevention and detection measures – The Company processes customers’ personal data to protect against fraud or criminal activity on their part. The Company has the right not to partner with high-risk customers who put its reputation at risk. Based on certain facts (e.g. fake ID, certain customer behaviour) the Company assesses the risk of potential fraud. Certain indicators of the relevant customer profile, as well as any other information (e.g. a stolen ID card) that is an indicator of potential fraud, may be used to make such an assessment. Fraud prevention and detection measures are implemented in the context of implementing internal security rules, exercising control, ensuring reliable protection of information stored on physical and electronic media. The implementation of these objectives is necessary to protect the Company’s legitimate interests as a data controller, which interests are related to its core business as a factoring company.
е. Security and access control, audio and video surveillance, audio and video recording for security purposes, anti-fraud, records of conducted communication
7. With whom can we share your data?
7.1 Public authorities, institutions and establishments that supervise the Company’s activities or compliance with legislation applicable to the Company. These may include, for example:
7.2 Natural or legal persons in the performance of the legal or contractual obligations of the data controller. Where the third parties with whom we share your personal data act as a data processor on behalf of the Company or as a joint controller with the Company, we enter into the relevant required contracts in order to protect your personal data and comply with applicable law.
7.3 We may share data with other companies in the international group that have offices and people around the world and primarily in the United States of America, Costa Rica, China, Vietnam, the Republic of Cyprus, Bulgaria, Malta, Rwanda and Nigeria. The information we collect may be stored, processed and transferred between each of the countries in which we operate to allow us to use and process the information in accordance with this policy
7.4 Recipients outside the European Economic Area (EEA)
Personal data may be transferred outside the country in which it was collected and/or processed for the legitimate interest of the Company related to its activities, in accordance with applicable law. In addition, to the extent permitted by applicable law, the Company may store and/or process Personal Data in facilities operated by third parties on behalf of the Company outside the country in which the Personal Data was collected and/or processed. Countries outside the European Economic Area (“EEA”) do not always have strict data protection laws. Where the Company transfers personal data from the EEA to other countries where the applicable laws do not offer the same level of data privacy protection as is specified in the EEA, the Company shall take measures to ensure an appropriate level of data privacy protection. For example, the Company uses approved model contractual clauses, other measures designed to ensure that recipients and/or processors protect personal data).
8. Retention periods for personal data
SMART FACTORING EOOD processes and stores your personal data for the periods set out in the applicable legislation and in the SMART FACTORING EOOD Data Storage, Archiving and Destruction Policy.
1. Personal data related to/contained in documents relevant for taxation and compulsory social security contributions shall be stored by the obliged person for the following terms:
– accounting records and financial statements: 10 years;
– documents for tax and social security control: 5 years after the expiry of the limitation period for repayment of the public debt to which they relate;
– all other information carriers: 5 years.
2. Personal data related to the performance of the Company’s obligations under the AMLA: for a period of 5 years from the date of termination of the relationship or from the date of the incidental transaction/operation. Upon written instruction of the Director of the Financial Intelligence Directorate of the State Agency for National Security, the term may be extended by no more than two years where proportionate and justified by the need to take appropriate action to prevent or counter money laundering or terrorist financing.
3. Personal data relating to the assertion of claims or the exercise of rights: 5 years from termination of the contract or collection of the receivables.
Personal data of potential customers is used by the Company for a period of 2 years from the last contact with the individual. Potential customers may always request that their data be deleted.
The time limits may be extended further, for example in the case of ongoing criminal investigations, court and arbitration proceedings, suspension/interruption of limitation periods, and in the case of compliance with orders of public authorities.
9. Rights of data subjects
As a data subject, you may exercise the following rights, subject to the conditions under EU Regulation 2016/679:
9.1 Right of access – Upon your request as a data subject, the Company is obliged to provide you with information on the categories of personal data relating to you that are collected and processed by the Company, as well as on the purposes for which they are processed, on the recipients or category of recipients to whom your personal data is provided, on the sources from which the data was obtained, except where it is collected directly from you.
9.2 Right to rectification and right to erasure (right to be forgotten) – At your request, the Company shall rectify, erase or suspend the processing of your personal data if there is a case in which its processing is unlawful or the legal basis for its processing has ceased. In such cases, the Company shall notify any third party to whom your personal data has been disclosed of any corrections or erasures it has made, as well as of the cases of suspension of processing of your personal data
9.3 Right of restriction to data processing – You have the right to request restriction of data processing whereby:
– You contest the accuracy of the personal data; In this case, the restriction of processing applies for a period that allows the controller to verify the accuracy of the personal data;
– the processing is unlawful, but you do not wish the personal data to be erased, but request instead a restriction on its use;
– The Company no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims;
– You have objected to the processing on the grounds of the legitimate interest of the Company and an investigation is underway to determine whether the legitimate grounds of the controller override the interests of the data subject.
Where processing is restricted, such data shall be processed, with the exception of their storage, only with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the defence of the rights of another natural person, or for important reasons of public interest. Where a data subject has requested the restriction of processing, the Company shall inform him or her before the restriction of processing is lifted
9.4 Right of portability of personal data – As a data subject, you have the right to request to receive the personal data relating to you that you have provided to the Company in a commonly used, structured and machine-readable format and you have the right to transmit/transfer that data to another Data Controller without the Company, as the Data Controller to whom you have provided your data, creating obstacles for you where the basis for the processing of the personal data is consent or a contractual obligation and the processing is
9.5 Right to object – As a data subject, you have the right to object to the processing of your personal data where the processing of your data is based on a legitimate interest of the Company. The Company shall consider the objection and provide you with its opinion. After considering the objection, the Company shall, as a matter of principle, suspend the processing of your personal data, and notify all interested parties to whom the personal data have been transferred of the objection received and of the measures taken in this respect. In some cases, however, the Company has a compelling legal basis to continue processing your personal data even after receiving your objection (e.g. in the case of lawsuits, surveillance in case of suspected fraud, etc.). In these cases, the Company will contact you to clarify the reasons why it will continue to process your personal data.
9.6 The right not to be a subject to a fully automated processes involving profiling
9.7 The right to withdraw your consent to the processing of your personal data.
9.8 Right to file a complaint with the Commission for Personal Data Protection (CPDP) – As a data subject, you have the right to file a complaint with the Commission for Personal Data Protection (CPDP) against the actions of the Company in relation to the processing of your personal data.
10. Exercise of rights.
Each data subject may exercise his/her rights by submitting a written request/notification to the Company in free text or in a form form attached to this Policy (Annex No. 1 Request for Exercise of Data Subject Rights). A request/notification may be submitted:
A response to your request/notification will be made without undue delay, within one month of receipt of the request/notification, unless an extension of time is required, for which the Company will notify you in a timely manner. The response will be sent/delivered to the address or by the method specified by you.
In the cases where you exercise your rights as a data subject, it is necessary to prepare a detailed description of your request in the request/notification submitted to the Company. When exercising your rights, the Company needs to verify your identity so that it does not appear that someone else is trying to impersonate you. For this purpose, the Company may ask you for an ID card or other identification when providing you with the information you have requested.
You may ask in writing various questions related to the processing of your personal data by the Company, both at the Company’s office and electronically at: [email protected].
In case you disagree with the Company’s opinion on the submitted request/notification or wish to obtain more information, please visit the website of the Personal Data Protection Commission: www.cpdp.bg, where you could file a complaint.
The exercise of your rights may not contradict the provision of your personal data to the competent authorities for the prevention, investigation and detection of criminal offences.
11. Policy approval and amendment.
The POLICY FOR CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA OF SMART FACTORING LTD is approved by the Managers of the Company. Amendments and additions to this policy shall be made by resolution of the Company’s Managers.
This Policy, as well as notices of amendments and supplements thereto, shall be disclosed on the Company’s website www.smart-factoring.com.