ROPO’S COLLECTION AND INVOICING CUSTOMERS
The purpose of this privacy statement is to provide the persons who are subject to collection and invoicing assignments by the Ropo Group – which comprises RopoHold Oy, Ropo Capital Oy, Ropo Finance Oy and Ropo Invest Oy (hereinafter referred to as “Ropo“) – a comprehensive picture of the personal data that Ropo collects on them, the purposes for which the data is used, and to whom the data may be disclosed. This privacy statement also provides information on the obligations and legislation that Ropo adheres to in the processing of personal data.
The privacy statement applies to all invoicing or collection customers as well as persons authorised by them or their trustees whose personal data is processed by Ropo as a controller in connection with the services it provides (hereinafter referred to as “data subject“).
1 Definition of personal data
“Personal data” means all data relating to data subjects whereby he/she may be directly or indirectly identified, as defined in the EU General Data Protection Regulation (2016/679) (“GDPR“). Data whereby the data subject may not be directly or indirectly identified is not personal data.
Ropo adheres to the GDPR as well as other applicable data protection legislation and good data processing practices.
2 Personal data groups and data content stored in the filing systems
Ropo collects and processes data that is necessary for the provision of its services. This applies to data received from the creditor, data provided by the data subjects themselves and data collected from other sources.
The following data is processed on data subjects:
- Identification and contact details, such as name, personal identity code or birth date, address, phone number, email address and bank contact details.
- Collection and invoicing information, such as the customer number of invoicing and/or collection customers; the invoicing or accounts receivable information; information on the receivable, the amount of and grounds for the receivable, as well as its payment; assignment number and information on its processing stage; information on collection measures and phase; information provided by the invoicing and/or collection customer; information necessary for handling the assignment, provided by the authorities and public registers, such as public credit information, official decisions and enforcement information; information necessary for handling an invoicing and/or collection assignment, provided by the creditor; vehicle owner and holder information; telephone conversations with customer service; and other information on the creditor and subject of assignment, necessary for handling the assignment.
- Information on related third parties, such as names and contact details of contact persons or trustees.
- Information linked to the granting of credit or to supervision, for instance credit status information and information on payment behaviour.
- User data for electronic services, such as user name and encrypted password.
- Behavioural data and technical identification data, monitoring of the data subject’s online behaviour and Ropo’s services through, for example, cookies or similar technical identity data. The collected data may include the user’s IP address, used pages, browser type, web address, session time and duration.
3 Purposes of processing personal data and legal basis for processing
Personal data is processed for the following purposes:
- Invoicing and payment control, including monitoring and maintenance of accounts receivable information and information on accounting records and payment transactions.
- The management of professional debt collection cases in voluntary and legal collection; litigation, criminal and bankruptcy, debt restructuring, corporate restructuring and application matters related to collection matters; and other collection-related tasks.
- Reporting, monitoring, controlling, training, testing and development of business and services, verification of service transactions, consulting and situations related to customer relationship management. For example, telephone records are used to develop customer service and to ensure customer transactions.
- Risk management and prevention of malpractice
- Storing and forwarding credit information from a credit reference operator’s credit filing system to contractual customers acting as creditors in accordance with the provisions of the Credit Information Act, as well as the use of credit information to decide on collection measures.
- For profiling and automatic decision making. Profiling is used for instance to gather information on payment methods of debts which have needed debt collection, as well to estimate solvency; automatic decision making is used to apply payment method information in order to choose the most suitable date and method for debt collection. Profiling and automatic decision making do not do not have any legal consequences for the data subject or any other serious consequences.
- In order to comply with statutory obligations, such as to draw up regulatory reports.
Only personal data necessary for the purpose and for handling the matter will be processed on the data subject.
Data on data subjects will also be used to implement the statutory obligations stipulated for professional debt collectors and for statistical purposes by a controller, whereby the information will be used so that it cannot be identified as pertaining to designated persons.
The legal basis for processing personal data of data subjects is:
- Implementation of a contract of which the data subject is a party, and the legitimate interest of the creditor and/or Ropo to receive payment, interest and collection costs.
- Statutory obligations of the controller.
Certain measures that the data subject requests related to invoicing and collection pertaining to him/her may require him/her to provide personal data without which the measures cannot be implemented due to either statutory obligations or contractual requirements.
4 Data sources
Regular data sources are:
- Creditors (data on assignment, invoicing and/or collection customer, and receivable)
- Invoicing and collection customers (data on the customer itself, as well as the receivable and payments)
- Through the controller’s own operations (data related to invoicing and/or collection)
- Population Register (address and personal data, as well as trustee data)
- Legal Register Centre (bankruptcy, corporate restructuring and debt restructuring data)
- Credit information filing systems of Bisnode Finland Oy and Suomen Asiakastieto Oy (public payment default data)
- The Business Information System (enterprise and organisation data)
- Tax Administration (public tax data)
- Finnish Patent and Registration Office (identification data of invoicing and/or collection customers)
- Number, address and contact information service companies (phone numbers and address information)
- Local Register Offices (trustee information)
- Finnish Transport and Communications Agency Traficom (vehicle owner and holder data)
- In addition, data is provided by the courts as well as pretrial, enforcement and labour authorities.
5 Storage of personal data
Ropo will store personal data for as long as is necessary for the purposes specified in this privacy statement unless the law requires the retention of personal data for a longer period of time (for example, specific legal, accounting or reporting responsibilities and obligations) or unless Ropo needs the data for drawing up or presenting a legal claim or for defending against a legal claim.
Ropo will store the personal data of invoicing and collection customers for the period required for the invoicing and/or collection, and for the period required by law thereafter.
After the storage period of personal data has expired, the data will be deleted within a reasonable time.
6 Processors and other recipients of personal data
Personal data of data subjects may be disclosed to a third party in situations permitted and mandated by assignment contracts and prevailing legislation, including:
- the creditor
- the invoicing and/or collection customer or party designated by it, in connection with the data subject
- the courts
- enforcement authorities
- police authorities
- credit information companies
- number, address and contact information service companies for checking of data
Credit information from a credit reference operator’s filing system may be forwarded to contractual customers acting as creditors.
In addition, personal data may be processed by the service providers and partners providing IT and information systems and other IT services or other services to Ropo.
Ropo may also be required to disclose personal data of data subjects in the event of an emergency or other unforeseen circumstances to protect human life, health and property. In addition, Ropo may be required to disclose personal data of data subjects if Ropo is involved in legal or other proceedings in dispute resolution bodies.
If Ropo is involved in a merger, business transaction or other corporate restructuring, it may be required to disclose personal data of data subjects to third parties.
7 Transfer of personal data outside the European Union or the European Economic Area
Data will not be transferred outside the European Union or the European Economic Area.
8 Principles of personal data protection and processing security
Ropo processes personal data in a way that aims to ensure the proper security of personal data, including protection against unauthorised processing and accidental loss, destruction or damage.
Ropo uses appropriate technical and organisational protective measures to ensure this, including the following protective measures:
Ropo’s network and servers are protected by firewall and other technical measures. Data readout, transmission and deletion rights are limited by access rights and passwords. Access rights are granted to persons handling collection and other assignments who have personal and job description-specific user rights and who have received instructions. Users of the filing system are identified and controlled and their access rights checked at regular intervals. The staff have received instructions on the safe use of passwords.
The material is stored in a locked space of the company, equipped with modern security systems, with access rights limited to persons assigned to it for their duties. The premises are equipped with access control.
Data is printed only when needed, and printouts are securely destroyed immediately after processing. The staff have been instructed that the personal identity codes of data subjects shall not be unnecessarily entered in documents.
All persons processing personal data have a confidentiality obligation, based on the Privacy Act and contractual confidentiality terms, on matters pertaining to the personal data processing of data subjects.
In accordance with this privacy statement, Ropo may outsource processing of personal data to service providers or subcontractors, but Ropo, through adequate contractual obligations, shall ensure that personal data is processed properly and lawfully.
9 Rights of data subjects and realisation of rights
The data subjects have the rights guaranteed by current data protection legislation.
Right of access to data
The data subject has right of access to the data on him/herself and, at his/her request, the right to receive a copy of the data.
The request for a copy must be sent in writing, with personal identity code and signature to:
Ropo Capital Oy
P.O. Box 25
The request must be accompanied by a copy of an identity document containing a signature, which verifies identity before providing the data.
Right to data rectification and erasure
The data subject may notify the controller’s contact person mentioned in section 12 of this privacy statement of any error he/she has detected in his/her data. After verification of the data subject’s identity, the inaccurate data will be rectified. If the data rectification is denied, the data subject will be notified in writing.
Ropo will erase, on its own initiative or at the request of the data subject, and complete any inaccurate, unnecessary, incomplete or outdated personal data for the purpose of processing in the filing system.
Right to data portability, restriction of processing, object to processing and withdrawal of consent
Under the current data protection legislation, the data subject has the right, in certain situations, to request the transfer of his/her data to another controller.
In a situation where personal data suspected inaccurate cannot be rectified or erased, or there is confusion about the request to erase, the company will restrict access to the data.
The data subject has the right to object to the use of data for a particular type of processing, such as direct marketing. Ropo Capital does not use its invoicing or collection customers for direct marketing or disclose data for such purposes.
The data subject has the right not to be subject to a decision which is based solely on automated processing and which has significant legal or similar effects on him/her. Ropo does not make automated processing decisions on the data subject that would have significant legal or similar effects on him/her.
If processing is based on consent, the data subject has the right to withdraw consent. The withdrawal has no effect on processing prior to the withdrawal.
10 Right to file a complaint with a supervisory authority
The data subject has the right to file a complaint with a data protection authority if the data subject considers that his/her personal data has been processed in violation of current legislation. In the European Union, the complaint may be filed with a data protection authority, in particular with the data protection authority in the country of residence or employment or with the data protection authority in the state where the alleged infringement has occurred. In Finland, the data protection authority is the data protection ombudsman: tietosuoja.fi.
11 Contact details of the data protection officer
Ropo Group’s Data Protection Officer: Arttu Rautiainen
12 Contact details of the controller
Controller: Ropo Capital Oy (business ID: 2495037-7)
Contact details: firstname.lastname@example.org
Ropo Capital, P.O. Box 25, FI-70101 Kuopio
13 Changes to the privacy statement
Ropo may, if necessary, amend and update this privacy statement. The changes may also be based on amendments to data protection legislation. We will notify of any changes on our website. Data subjects will be informed of essential changes.
This privacy statement was published on 23 May 2018 and updated on September 27th, 2021.