1. Data controller
Name: Finance Link Oy
Address: Mannerheiminaukio 1 B, 00100 Helsinki
Telephone: 09 77 44 740
2. Contact person for the register
Telephone: 09 877 44 740
3. Name of the register
Finance Link customer register
4. The purpose and legal basis for processing personal data
The register is used for the following purposes, and on the following legal grounds:
• Assessment of receivables, based on the data controller’s legitimate interest to assess creditworthiness of invoices before purchasing them.
• Collecting on purchased invoices, based on the credit relationship between the data controller and the subject as well as the data controller’s legitimate interest to collect on unpaid invoices.
• Payment reminder and collections service performed on behalf of the issuer of the invoice, based on the contractual relationship between the creditor and the data subject.
• Management of guarantees in connection to invoice financing, based on the data controller’s and the data subject’s contractual relationship (the guarantee), prior steps prior to performing the agreement, and the data controller’s legitimate interest to collect on the guaranteed debt.
• The processing of personal data is also for the data controller’s and its group companies’ legitimate interest to analyse its business activities, and to market and communicate about its services to the data subjects. In accordance with this legitimate interest, the personal data can be used to analyse the data controller’s business and its benefits, to develop statistics concerning the aforesaid and to market the products and services of the data controller. The personal data may also be used in the direct marketing of the data controller and its group companies.
• The data controller also has a legitimate interest to anonymise personal data for such purposes that are not incompatible with the aforesaid purposes.
• The customer register may also be used for storage, reporting and inquiry required by law or official regulation or guidance.
The data processing for the performance of an agreement between the data controller and subject is necessary for the performance of the data controller’s services and thus a requirement for their use.
5. Personal data collected
The below groups of data subjects are here collectively referred to as “customers” and the data stored as part of the “customer register”. The customer register may include the following information about the data subjects:
Personal data related to invoice receivables:
• The name of the contact person on the invoice
• The name of a sole trader business
• Invoice information and a copy of the invoice
• The communications between the data controller and the data subject
Personal data related to company customer contact persons:
• The name of the contact person
• Contact details such as address and phone number
• Invoice information and copies on invoices
• Information concerning marketing measures that have been or will be directed at the contact person
• Information concerning correspondence with the data subject, agreed-on next steps and similar information.
Personal data related to guarantors:
• Contact details
• Identifying information such as personal identity number
• Information concerning the guarantee
6. Regular sources of data
Personal data concerning receivables are generally collected from the issuer of the invoice, from which the data controller has purchased the invoice or on whose behalf the data controller is collecting on the invoice.
For company customers and guarantors the information is primarily obtained from the data subject him- or herself.
Information may also be obtained from credit-rating agencies such as Suomen Asiakastieto and Bisnode.
7. The time personal data is kept
The information will be removed from the register or anonymised as soon as they are no longer need for their stated purpose or for meeting requirements under law, regulation or other official source.
• Guarantor personal data
The data controller may process personal data related to guarantors for the duration of the guarantee relationship. During the guarantee relationship, the data controller will maintain the information and regularly remove information that has been found unnecessary. At the expiry of the debtor relationship, the information will remain in passive storage as required under the Accounting Act.
• Information concerning receivables
The data controller will actively process information concerning the receivable during the lifetime of the receivable, during which time it will maintain the personal data and regularly remove information that has been found unnecessary. After the receivable has expired, e.g., due to payment, the information will remain in passive storage as required under the Accounting Act, as of the date the invoice expired.
• Company contact persons
The data controller will actively process personal data concerning company contact persons in order to market its services and for the lifetime of any customer relationship. During the lifetime of a customer relationship, the data controller will maintain the personal data and regularly remove unnecessary personal data. After the expiry of any customer relationship, the personal data will be kept in passive storage for 3 years after the expiry of the customer relationship. If there is no customer relationship, the information will be kept for at most 3 years after any marketing or similar measure directed at the relevant contact person.
• Invoice information in connection to payment reminder and debt collection services
The data controller may process personal information in connection to debt collec-tion for the lifetime of its assignment.
At the expiry of the aforementioned periods, the data controller will remove information in a staggered manner in accordance with any statutory requirements, such as removing accounting materials within 10 or 6 years as provided for in the Ac-counting Act.
Legal restrictions on the retention of data do not apply to anonymous data.
8. Regular disclosures of data
Information concerning the customer is not disclosed to third parties
9. Transfers of data outside the EU or EEA
Personal data may be transferred to other companies in the same group. Personal data may also be transferred to service providers processing the data on behalf of the data controller.
Personal data is not transferred outside the EU.
10. Information security
Manual materials are kept in locked facilities. Any information will be dealt with on-ly by such members of staff who have a valid reason for doing so as part of their work functions.
Computer systems have been protected from outside access by several means. Each user has a personal username and password to sign on the system. The information may be accessed only by members of staff who must process personal data as part of their work functions, save for some basic information concerning customers (such as name, title, organisation, workplace contact details) that all members of staff have access to.
11. Automated decision-making
Personal data is not used for any automated decision-making that would have legal or equivalent consequences for the data subject.
The data controller uses external registers and the previous payment history of credit applicants in its decision-making:
- Information given by the applicant
- The credit information register of Suomen Asiakastieto Oy
- The personal credit information register of Bisnode Finland Oy
12. The data subject’s right to object to processing of personal data
The data subject may, on grounds related to his or her particular situation, object to profiling concerning him or her as well as to processing of personal data based on the data controller’s legitimate interest.
The data subject may object as described in section 16 of this policy. When making the objection the data subject must identify which particular situation he or she re-lies on to oppose the processing. The data controller may refuse to comply with the objection as provided for in law.
13. The data subject’s other rights in connection to personal data
Right of access: the data subject has the right to check what information concerning him or her has been recorded in the register.A request to do so should be made as described in section 16 below. The right of access may be declined in certain legally defined situations. Use of the right of access is mainly without charge.
Right to ask that data be corrected, removed or to have processing restricted: the da-ta subject has the right to have personal data that is contrary to the purpose of the register, incorrect, unnecessary, deficient or out-of-date corrected or removed. A request should be made as described in section 16 below.
The data subject also has the right to ask that the data controller restricts processing of personal data, e.g., where the data subject is awaiting the data controller’s re-sponse to a request concerning correction or removal of personal data.
The data subject’s right to data portability: To the extent the data controller processes information received from the data subject him- or herself and on the basis of the data subject’s consent or the performance of a contract between the data controller and the data subject, the data subject has the right receive a copy of the information, primarily in machine-readable format and to ask that the information be transferred to another system
Other rights: if personal data is processed on the basis of consent, the data subject may at any time withdraw the consent by notifying the data controller as described in section 16.
14. The data subject’s right to file a complaint with a supervisory authority
Should the data controller have failed to comply with applicable data protection rules, the data subject may file a complaint with the competent data protection supervisor.
15. Contacting the data controller
For all questions concerning personal data and the use of the data subject’s rights, the data subject should contact the data controller. This can be done by sending a letter or email to the contact person mentioned above.
The data controller may when provided for in law refuse the data subject’s request to use one of the rights explained in sections 13 and 14 above. Should the data controller refuse the request, it will provide its reasons for doing so via letter or email.