ESTATEGURU PRIVACY RULES
Effective as of 25.05.2018
This privacy notice explains what personal data is, which portal user’s personal data and on what grounds is processed by EstateGuru (hereinafter: portal operator), what are the user rights in relation thereto and which means EstateGuru has implemented to ensure the protection of user’s personal data.
The person responsible for processing of personal data is EstateGuru OÜ (address: Tartu mnt 2, Tallinn, 10145, Estonia; registry code: 12558919); in certain cases the person responsible for personal data processing can also be another person affiliated to EstateGuru (e.g. EstateGuru marketplace limited, which administers some of EstateGuru’s cross-border projects).
The portal operator processes user’s personal data in fairly, in the manner and scope permitted by EU and Estonian legislation.
When processing user’s personal data, the portal operator and its employees apply all due diligence and security measures so as to ensure its exclusively purposeful processing and protecting personal data from unintentional or unauthorised processing, disclosure or destruction. The data is processes exclusively for the purpose for which the data has been collected.
The portal operator provides access to the user’s personal data only to its employees, who undertake to keep the personal data confidential throughout the duration of their employment in the organisation as well as after the termination of the employment relationship in accordance with the non-disclosure agreement concluded with them. The portal operator does not allow access to the user’s personal data or to the data bases reflecting these data to unauthorised third persons.
Personal data and its processing
Personal data are all data directly or indirectly related to a physical person which makes possible identification of this person (more detailed information is available here: http://www.aki.ee/et/mis-isikuandmed). Processing of personal data is, above all, the collection, recording, storage, organisation, usage, amendment, transmission, disclosure and deletion of personal data, but also other personal data processing activities set out by law.
In the provision of its services, the portal operator processes the following user’s personal data:
- personal data enabling personal identification (first and last name, personal code and/or date of birth, age);
- additional data enabling personal identification (personal ID number and type, date of issue and validity of an ID, person’s photo and sex);
- user’s residence address, citizenship;
- user’s professional activity;
- preferred language of communication;
- data regarding whether the user is a politically exposed person (PEP);
- contact details (phone number, e-mail address etc);
- bank account information (IBAN, Swift, name of the bank);
- data regarding user’s computer IP-address;
- data regarding the creation of the user account and user’s activities with regard to using the account (time and number of log-ins, also the fact of log-ins via Facebook, Linkedin or other third-party service provider and the so-called log-in token);
- financial data (incl. data relative to the origin of user’s funds and financial transactions made via the portal, but also user’s preferences with respect to transaction profiles and user’s settings for automatic placement of user’s funds into loan transactions);
- data relative to the agreements concluded by the user via the portal;
- if the user is a legal person, then the data about the physical person representing the user;
- if the user is a legal person, then data about its owners and/or management board members (data which makes possible personal identification as described above).
The portal operator processes personal data, amongst others, for the purpose of improving the portal’s user experience, incl. the performance of the transactions with or between the users, but also with the objective of performing the portal operator’s requirements arising from law.
The processing of personal data may take place only in case it corresponds to at least to one condition stated in the EU general regulation. The portal operator processes user’s personal data on different legal grounds depending on the objective of processing. First and foremost, the portal operator processes personal data on the grounds set out below. This is not an exhaustive list of the objectives for the personal data processing because due to specific circumstances it may be needed to promptly process data to fulfil other objectives, which, however, are in accordance with at least one of the objectives set out by the general regulation.
- Execution of a concluded agreement or taking measures prior to the conclusion of an agreement
Precontractual relations with a person willing to become a user. The portal operator applies due diligence measures derived from the money laundering and terrorism financing prevention act (KYC or know-your-client principle) prior to concluding an agreement and granting the user an access to the portal, in order to qualify for Finance Estonia Good Practise label. To implement KYC measures the user’s personal data is collected to the extent required by the money laundering and terrorism financing prevention act, incl. data ensuring client’s personification and additional data for identification, data relative to the user’s place of residence and citizenship, profession (occupation) and also data regarding whether the user’s is a politically exposed person. If the user is a legal person, then data regarding the physical person representing the user (incl. the link between the physical person and the company) and data about user’s owners and board members. The personal data is collected by the portal operator or its authorised person (see for more detail “Transmission of data”).
Processing of personal data of a user who is a physical person or a physical person representing a user. The processing of the portal user’s data is performed for the purposes of concluding and executing the agreements between the portal and a user or between users. The portal operator processes users’ personal data in relation to the agreements between the user and the portal or between different users. The processing of personal data on the basis of an agreement is performed exclusively for the performance of the tasks of the portal, incl. with respect to loan agreement intermediation authorised by the lenders, the intermediation of the performance of the monetary obligations arising from the loan agreements and enforcement of the claims on behalf of the lenders. When registering as a user also the legal persons have to provide the personal data of the physical person who is acting as their representative. Also the processing of personal data of such representatives is performed with the objective of the execution of a contract (for the portal operator such person is a contact person of its user). For the purposes of conclusion and performance of an agreement the following personal data is processed: the data ensuring the identification of the user, preferred language of communication, bank account details, financial data, contact details, communication between the portal and the user, data relative to the agreements entered into by the user. If the user is a legal person, then data regarding the physical person representing the user (incl. the link between the physical person and the company) and data about user’s owners and board members. The data is collected and processed by the portal operator.
The personal data collected for the purposes of the execution of an agreement is stored for 7 years after the performance of the agreement in case of loan agreements (for accounting purposes) or counting from its cancellation. The data collected for the purposes of performing KYC measures is stored for 5 years after the termination of the business relationship.
- For the performance of an obligation arising from law
If the portal operator has an obligation arising from law to process personal data, the portal operator cannot withhold from processing of the personal data and the user cannot prohibit processing of the personal data on these grounds. The grounds for personal data processing arising from law are the following:
Accounting. For the purposes of accounting the portal operator processes user’s personal data enabling identification, financial data and data relative to bank account. Due to the accounting obligations all the agreements are stored for at least 7 years counted from the termination of a contractual relationship.
Submission of data to state institutions. The portal operator may be obliged to transmit the personal data to state institutions (incl. Police and Border Guard Board, Tax Board etc). The user is notified of the communication of its data unless user’s notification is forbidden by law (e.g. transmission of personal data upon the request from the financial intelligence unit).
- Legitimate interest
KYC measures. The portal operator may also request from the user personal data not mentioned above or collect data from the sources allowed by law (incl. through media, internet and social networks, or other public sources) upon implementing the KYC measures during the precontractual negotiations to establish the user’s suitability or to ask data upon concluding of loan agreements with respect to the origin of the funds disposed to implement the KYC measures during the contractual relations. Due to the fact that the service provided by the portal operator, which consist in credit intermediation to legal persons, the portal operator is not subject to the rules with respect to KYC measures arising from the anti-money laundering and terrorism financing act. The portal operator implements these measures voluntarily in line with Finance Estonia good practise.
Dispute resolution. In case of court or out-of-court disputes the portal operator may process personal data and documents relevant to the dispute in its own name or in the interest of the users. Where necessary, the portal operator may store the data and documents relevant to the dispute longer if so requires the minimal storage time for the personal data and documents provided by law. The necessity of such data and document storage is assessed periodically.
Security. In order to ensure user’s personal data security the portal operator implements security measures which help to ensure the security of the data.
Satisfaction surveys. To develop its service or to administer the client relationship the portal operator may contact the user using the contact details provided by the user to the portal. The portal operator may organise satisfaction surveys to analyse user’s satisfaction and preferences with regard to products and services that the user is using or has used, which are provided by the portal operator or its concern undertakings, so as to ensure effective development of the products and services.
Customer service and customer notification. The portal operator may transmit to the user also the information regarding the administration of his/her loan agreements (general information about user’s activity on the portal, information and notification regarding user’s investments and payment transactions) also information about the new projects on the portal. In case of personal data processing on the grounds of legitimate interest no data subject consent is necessary. However, the portal operator has created an option for the user to control the actions taken for the processing of personal data on these grounds and if necessary, to refuse the transmission of information.
The present list of grounds for the personal data processing on the ground of legitimate interest may not be exhaustive; in accordance with the legislation, and if necessary, the portal operator may process personal data for other purposes. The user always has the right to request additional information and to file objections where the personal data is processed on the grounds of legitimate interest.
- Data subject consent
Marketing. The portal operator requests the user’s consent allowing the portal operator to communicate to the user its products and marketing materials or notices related thereto, also the products and related marketing materials or notices from the persons belonging to the same concern as the portal operator or from other third party partners of the portal operator. In case the user has given the portal operator its consent for the transmission of whatever marketing materials, the portal operator may transmit to the user the information and offers corresponding to the user’s preferences HERE.
We may request you to provide us your consent also to perform other processes of data processing, which have not been mentioned before. The user has always right to refuse from giving his/her consent. The consent given by the user for the personal data processing can be revoked at any time.
Other data provided by a physical person to the portal operator.
The portal operator may reflect in the user’s database also other user personal data, if there is a legitimate need arising from the transactions performed on the portal or through the portal (incl. loan documents), provided that such data processing is not against the law.
Data processing of an employment applicant. The data processing of a physical person’s personal data can also be performed when a person applying for a job transmits his or her data to the portal. In this case, the data processing is performed in the manner corresponding to the precontractual data processing. The applicant is advised to consult with the portal operator prior to providing its data to the portal to make sure the content of the personal data required for the job application.
Transmission of the data
The portal operator may transmit (communicate) user’s personal data:
- to another group undertaking, if this is necessary for the performance of the portal operator’s contractual obligations;
- to the security agent (for more details on the agent’s functions see user terms);
- to Veriff OÜ, with whom the portal operator cooperates with respect to the application of the KYC measures to the portal users;
- to an accountant or an auditor, if such service is outsourced, also to a person providing legal assistance with respect to the transaction concluded with the user or between users;
- to a third party whose economic activity consists in enforcement of debt (incl. the data of the physical person representing the borrower) or to a third party whose economic activity consists in the assessment of creditworthiness or other similar service (incl. credit info; payment disorder register) to assess the borrower’s creditworthiness (if necessary, also the data of the physical person representing the borrower);
- to credit institutions where the portal operator holds the funds transmitted by the users for the performance of the portal operator’s mandate, in order to identify the user;
- to other persons, institutions and organisations (incl. bailiff, notary and to the persons and organisations dealing with the resolution of disputes arising from the usage of the portal or the transactions made through the portal);
- to persons, to whom the portal operator is obliged to transmit user’s personal data in accordance with the law or other legal act.
The portal operator has the right to transmit user’s data to third parties only if this is justified by the rights and obligations of the portal operator before the user and where the transmission of the data to such persons is not against the law.
We cooperate exclusively with undertakings, which are established in Estonia or other EAA territory. Upon transmission of the data to a third party the portal operator makes sure that the security of data is continuously ensured. To this end, a respective written agreement is concluded with the recipient of the data whereby the rules and procedures for data processing by the recipient are set.
Rights of data subject
- Right to request access to own data. The user has at any time the right get familiarised with his or her personal data disposed by the portal operator. Usually the portal operator makes user’s data in its disposal available to this user through the portal. Nevertheless the user has the right to request from the portal operator to transmit the personal data collected about the user with which the user is unable to familiarise his or herself via the portal.
- Right to request correction of data, where the data at the disposal of the portal operator is not correct.
- Right to request deletion of data stored by portal operator, first of all, where the data is processed based on a legitimate interest or user’s consent. The deletion of personal data is not possible, where data processing or storage is necessary to perform an obligation arising from law, the data is necessary for the performance of the objective for which it has been collected (first of all for the performance of the agreements concluded via the portal). If the portal operator is unable to delete the data, the portal operator justifies this to the user requesting the deletion.
- Right to submit an objection to an action of personal data processing, where the processing of personal data is performed on legitimate interest grounds (see above).
- Right to restrict processing of personal data, if:
- the user has challenged the correctness of the personal data until the portal operator has controlled the correctness of the data;
- the processing of personal data is illegal, but the user does not with the data to be deleted;
- the user requires the data to compose a legal claim, to present or to defend such claim;
- the user has objected to the data processing until the portal operator controls whether the portal operator’s legitimate justifications outweigh the user’s reasons.
To exercise any of the rights listed above the user can send to the portal operator a request through customer service or to an e-mail address firstname.lastname@example.org. The exercise of a right must be clearly designated in the request provided to the portal operator. A copy of all personal details relative to the user, which are not available via the portal, must be transmitted to the user within 30 day from the submission of the request.
To protect his or her rights, the user has the right to turn to the supervisory authority (Estonian Data Protection Inspectorate in Estonia) or to the court. The information about the requests to the Estonian Data Protection Inspectorate is available on its webpage.