The Data Protection Policy of Debitum Collectio OÜ
1. General provisions
1.1. This data protection policy sets out the procedure and purposes for processing data at Debitum Collectio OÜ (registry code 16008417), seat at Lelle 24 (16th floor), Tallinn 11318.
1.2. In processing personal data, Debitum Collectio OÜ (hereinafter: Debitum Collectio) complies with the following principles:
– the principle of lawfulness and transparency – personal data may only be collected in an honest and lawful manner;
– the principle of purpose limitation – personal data may only be collected for specific, explicit, and legitimate purposes and may not be processed in a manner that is incompatible with the purposes of data processing;
– the principle of storage limitation – the data are stored only for as long as it is necessary for the purposes of processing;
– the principle of integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures;
1.3. The purpose of the data protection policy is to provide the persons whose personal data Debitum Collectio processes in its activities with information about the type of personal data, how and for what purpose Debitum Collectio processes the data, and what the rights of individuals are in relation to the processing of their personal data.
1.4. The disclosure of the data protection policy complies with the notification obligation under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR).
2. Controller of the personal data
2.1. The controller of the personal data of the data subjects is Debitum Collectio.
2.2. Please address all matters related to the processing of personal data to Debitum Collectio by e-mailing a digitally signed inquiry to email@example.com
3. Purposes and legal grounds for processing
3.1. Debitum Collectio specializes in debt collection services, i.e. in the provision of debt collection services to creditors. Debitum Collectio helps creditors collect their debts but does not acquire the claims themselves. Debitum Collectio processes the personal data related to the debt claim and the debtor on the basis of an authorization agreement concluded with its customer in order to perform this contract, based on Article 6(1)(b) of the GDPR. Consequently, Debitum Collectio acts as a processor and the creditor remains the controller of the data as the claim is not assigned.
3.2. Debitum Collectio also buys the customers’ debt claims, thus becoming a creditor itself. In such a case, Debitum Collectio processes personal data on the basis of the assigned agreement for the purpose of performing the agreement, based on Article 6(1)(b) of the GDPR.
3.3. Debitum Collectio provides its customers with a legal service, during which evidence is collected and documents are analyzed, including interaction with the persons interested in the service and sending notifications in connection with the provision of the service.
3.4. Debitum Collectio processes personal data for the performance of the obligations arising from the legislation in force in the Republic of Estonia, including the performance of obligations arising from the legislation on the prevention of money laundering and terrorism;
3.5. In the course of these activities, Debitum Collectio processes the contact information of natural and legal persons (both creditors and their employees; the debtor and its employees, as well as third-party/parties and the guarantor(s) involved in the deb proceedings and the provision of legal services) and the data relating to the claim to be purchased or processed.
3.6. In providing the debt collection service and in purchasing debt claims, Debitum Collectio processes the data relating to the financial situation and payment behavior of a debtor who is a natural person. This information is provided by the debtor himself/herself, the creditor, and public registers.
3.7. As an employer, Debitum Collectio processes the personal data of employees working on the basis of the Employment Contracts Act and the Law of Obligations Act of the Republic of Estonia.
3.8. Debitum Collectio may disclose on its website at https://dcollectio.ee/ and on the website of Creditinfo Eesti AS at https://www.e-krediidiinfo.ee/ the debtor’s payment default information in the interests of the reliability of the transaction turnover and in accordance with the GDPR, the Personal Data Protection Act and the current guidelines of the Data Protection Inspectorate.
3.9. Debitum Collectio will retain the personal data related to the provision of collection service and legal services and the acquisition and collection of debt claims for 15 years, pursuant to the provisions of §146(4) of the General Part of the Civil Code Act (the limitation period for a claim arising from a transaction is 10 years) and §10(2)5) (5 years) of the Personal Data Protection Act combined.
4. The main personal data processed are the following:
– Personal identification code
– Contact information
– Tax debt
– Payment defaults
– Data from public registers
– Situation of the person
– Data related to the customer contract
– Data on the debt (incl. invoices, contracts, amount of debt, amounts paid, agreements between creditor and debtor, and other certificates and documents necessary for the provision of collection and legal services)
– Information provided by the person or his or her representative.
5. Rights of the data subject, and access to the data
5.1. The data subject has the right to be notified of whether his or her personal data are being processed and if so, the data subject has the right to access his or her personal data.
5.2. The data subject has the right to request the rectification of inaccurate personal data concerning him or her without undue delay.
5.3. The data subject has the right to request the erasure of his or her personal data, for example, if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject withdraws his or her consent to the processing; there is no right to process the personal data. Personal data will not be deleted if they are necessary for the performance of a legal obligation or a contract and for the exercise of a legitimate interest.
5.4. The data subject has the right to request the restriction of the processing of his or her personal data, e.g. for a period that allows Debitum Collectio to verify the accuracy of the personal data or to assess whether the data subject has the right to request the erasure of his or her personal data. Debitum Collectio will not continue to process personal data unless the data are processed for a valid legitimate reason that overrides the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
5.5. The data subject has the right to receive a copy of the personal data concerning him or her which he or she has provided to Debitum Collectio and has the right to transfer such data to another controller.
5.6. The data subject has the right to object at any time to the processing of personal data concerning him or her. To do this, a digitally signed request must be e-mailed firstname.lastname@example.org. The request will be responded to no later than within one month after receipt of the request. The response time may be extended depending on the complexity and number of requests. Debitum Collectio will notify the data subject of the extension of the deadline.
5.7. The data subject has the right to turn to the Data Protection Inspectorate or a court at any time if he or she finds that his or her rights have been violated.