CONCERNING ROPO’S MARKETING AND CREDITOR CUSTOMERS
The purpose of this privacy statement is to provide the persons who are connected to existing and potential creditor customers of the Ropo Group – which comprises RopoHold Oy, Ropo Capital Oy, Ropo Finance Oy and Ropo Invest Oy (hereinafter referred to as “Ropo“) – a comprehensive picture of the personal data that Ropo collects on them, the purposes for which the data is used, and to whom the data may be disclosed. This privacy statement also provides information on the obligations and legislation that Ropo adheres to in the processing of personal data.
The privacy statement applies to all natural persons who are potential or existing creditor customers or their representatives, contact persons or beneficiaries and whose personal data is processed by Ropo as a controller (hereinafter referred to as “data subject“).
1 Definition of personal data
“Personal data” means all data relating to data subjects whereby he/she may be directly or indirectly identified, as defined in the EU General Data Protection Regulation (2016/679) (“GDPR“). Data whereby the data subject may not be directly or indirectly identified is not personal data.
Ropo adheres to the GDPR as well as other applicable data protection legislation and good data processing practices.
2 Personal data groups and data content stored in the filing systems
Ropo collects and processes data that is necessary for the provision of its services. This applies to data received from the creditor, data provided by the data subjects themselves and data collected from other sources.
The following data is processed on data subjects:
- Identification, contact and position details, such as name, personal identity code or birth date, address, phone number, email address, bank contact details and the data subject’s position in the existing or potential creditor customer.
- Customer event information, such as contacts between the data subject and Ropo and participation in events organised by Ropo.
- Information connected to the contractual relationship, such as the invoicing and/or collection customers; the invoicing or accounts receivable information; information on the receivable, the amount of and grounds for the receivable, as well as its payment; assignment number and information on its processing stage; information necessary for handling the assignment, provided by the authorities and public registers; information necessary for handling an invoicing and/or collection assignment, provided by the creditor; and other information on the creditor necessary for handling the assignment.
- Information on related third parties, such as names and contact details of contact persons or trustees.
- User data for electronic services, such as user name and encrypted password on Ropo 24.
- Behavioural data and technical identification data, monitoring of the data subject’s online behaviour and Ropo’s services through, for example, cookies or similar technical identity data. The collected data may include the user’s IP address, used pages, browser type, web address, session time and duration.
As regards potential customers, the necessary personal data groups will be processed, such as identification, contact and position details, as well as behavioural data and technical identification data.
Ropo may collect on its customers, their representatives and actual beneficiaries the following personal data, among other things, to comply with money laundering legislation such as the Act on Preventing Money Laundering and Terrorism Financing (2017/444):
- Full name
- Date of birth and personal identity code
- Telephone number and email address
- Mailing address
- Position in the legal person and other business contacts of the person and details of holdings
- Name of the passport, travel document or other document used for verifying identity, document number or other identifying information and issuer, or a copy of the document
- If the customer has been identified remotely, information on the procedure or sources used in verification; in case of TUPAS identification, identification information for TUPAS identification
- Necessary information obtained to comply with the enhanced identification obligation of a politically exposed person.
3 Purposes of processing personal data and legal basis for processing
Personal data is processed for the following purposes:
- Provision of services, contacting, customer support
- Accounting and payment transactions
- Reporting, monitoring, training, testing and development of business and services, and verification of service transactions. For example, telephone records are used to develop customer service and to ensure customer transactions.
- Risk management and prevention of malpractice
- Meeting regulatory obligations, such as the identification of a customer stipulated by money laundering legislation
Only personal data necessary for the purpose and for handling the matter will be processed on the data subject.
The legal basis for processing personal data of data subjects is:
- Ropo’s legitimate interest or consent concerning own marketing
- For the implementation of a contract with a data subject or for the implementation of pre-contractual measures at the request of a data subject
- The legitimate interest of the creditor customer and Ropo in relation to the creditor’s contact persons
- The legitimate interest of Ropo to develop business
- Ropo’s statutory obligations
The provision of personal data for assignments is required partly by contracts and partly by legislation. Without certain personal data, the assignment relationship cannot be established, for example, because the obligation to identify the customer based on debt collection and money laundering legislation, or without certain personal information, the potential assignment cannot be executed if the data subject acting as creditor does not provide the necessary personal data.
When processing is based on consent, the data subject has the right to withdraw consent.
4 Data sources
Regular data sources are:
- Creditors (details on assignment and contact person)
- Through the controller’s own operations (data related to invoicing and/or collection)
- Population Register (address and personal data, as well as trustee data)
- Legal Register Centre (bankruptcy, corporate restructuring and debt restructuring data)
- Credit information filing systems of Bisnode Finland Oy and Suomen Asiakastieto Oy (public payment default data)
- The Business Information System (enterprise and organisation data)
- Tax Administration (public tax data)
- Finnish Patent and Registration Office (identification data of creditor)
- Number, address and contact information service companies (phone numbers and address information)
- Local Register Offices (trustee information)
- In addition, data is provided by the courts as well as police, enforcement and labour authorities.
5 Storage of personal data
Ropo will store personal data for as long as is necessary for the purposes specified in this privacy statement unless the law requires the retention of personal data for a longer period of time (for example, specific legal, accounting or reporting responsibilities and obligations) or unless Ropo needs the data for drawing up or presenting a legal claim or for defending against a legal claim.
Ropo will store the personal data of data subjects connected to creditor customers for the duration of the assignment and for the period required by law thereafter.
For marketing purposes, the basic information on the creditor’s contact persons is maintained as long as they are the subject of marketing.
The creditor’s identification data is maintained in accordance with applicable law, which is currently, under money laundering legislation, five years from the termination of a permanent customer relationship or, for an extraordinary transaction, five years from the execution of the transaction.
After the storage period of personal data has expired, the data will be deleted within a reasonable time.
6 Processors and other recipients of personal data
Personal data of data subjects may be disclosed to a third party in situations permitted and mandated by assignment contracts and prevailing legislation, including:
- an invoicing and/or collection customer
- the courts
- enforcement authorities
- police authorities
- credit information companies
- number, address and contact information service companies for checking of data
In addition, personal data may be processed by the service providers and partners providing IT and information systems and other IT services or other services to Ropo.
Ropo may also be required to disclose personal data of data subjects in the event of an emergency or other unforeseen circumstances to protect human life, health and property. In addition, Ropo may be required to disclose personal data of data subjects if Ropo is involved in legal or other proceedings in dispute resolution bodies.
If Ropo is involved in a merger, business transaction or other corporate restructuring, it may be required to disclose personal data of data subjects to third parties.
7 Transfer of personal data outside the European Union or the European Economic Area
Data will not be transferred outside the European Union or the European Economic Area.
8 Principles of personal data protection and processing security
Ropo processes personal data in a way that aims to ensure the proper security of personal data, including protection against unauthorised processing and accidental loss, destruction or damage.
Ropo uses appropriate technical and organisational protective measures to ensure this, including the following protective measures:
Ropo’s network and servers are protected by firewall and other technical measures. Data readout, transmission and deletion rights are limited by access rights and passwords. Access rights are granted to persons handling collection and other assignments who have personal and job description-specific user rights and who have received instructions. Users of the filing system are identified and controlled and their access rights checked at regular intervals. The staff have received instructions on the safe use of passwords.
The material is stored in a locked space of the company, equipped with modern security systems, with access rights limited to persons assigned to it for their duties. The premises are equipped with access control.
Data is printed only when needed, and printouts are securely destroyed immediately after processing. The staff have been instructed that the personal identity codes of data subjects shall not be unnecessarily entered in documents.
All persons processing personal data have a confidentiality obligation, based on the Privacy Act and contractual confidentiality terms, on matters pertaining to the personal data processing of data subjects.
In accordance with this privacy statement, Ropo may outsource processing of personal data to service providers or subcontractors, but Ropo, through adequate contractual obligations, shall ensure that personal data is processed properly and lawfully.
9 Rights of data subjects and realisation of rights
The data subjects have the rights guaranteed by current data protection legislation.
Right of access to data
The data subject has right of access to the data on him/herself and, at his/her request, the right to receive a copy of the data.
The request for a copy must be sent in writing, with personal identity code and signature to:
Ropo Capital Oy
P.O. Box 25
Before granting access to the data, we need to verify your identity. For this purpose, please send us a copy of a proof of identity containing your signature. You can send the proof of identity as an attachment file with your request. Requests sent by email should be addressed to email@example.com. The request must contain all identity verification information listed above. Data subjects can also submit requests for access to personal data by signing into the Ropo Online service with strong electronic identification. In this case, you do not need to separately provide the identity verification information listed above.
Right to data rectification and erasure
The data subject may notify the controller’s contact person mentioned in section 12 of this privacy statement of any error he/she has detected in his/her data. After verification of the data subject’s identity, the inaccurate data will be rectified. If the data rectification is denied, the data subject will be notified in writing.
Ropo will erase, on its own initiative or at the request of the data subject, and complete any inaccurate, unnecessary, incomplete or outdated personal data for the purpose of processing in the filing system.
Right to data portability, restriction of processing and object to processing
Under the current data protection legislation, the data subject has the right, in certain situations, to request the transfer of his/her data to another controller.
In a situation where personal data suspected inaccurate cannot be rectified or erased, or there is confusion about the request to erase, the company will restrict access to the data.
The data subject has the right to object to the use of data for a particular type of processing, such as direct marketing.
The data subject has the right not to be subject to a decision which is based solely on automated processing and which has significant legal or similar effects on him/her. Ropo does not make automated processing decisions on the data subject that would have significant legal or similar effects on him/her.
Right to withdraw consent
If the legal basis for processing is consent, the data subject has the right to withdraw consent. The withdrawal has no effect on processing prior to the withdrawal.
10 Right to file a complaint with a supervisory authority
The data subject has the right to file a complaint with a data protection authority if the data subject considers that his/her personal data has been processed in violation of current legislation. In the European Union, the complaint may be filed with a data protection authority, in particular with the data protection authority in the country of residence or employment or with the data protection authority in the state where the alleged infringement has occurred. In Finland, the data protection authority is the data protection ombudsman: tietosuoja.fi.
11 Contact details of the data protection officer
Ropo Group’s Data Protection Officer: Arttu Rautiainen
12 Contact details of the controller
Controller: Ropo Capital Oy (business ID: 2495037-7)
Contact details: firstname.lastname@example.org
Ropo Capital, P.O. Box 25, FI-70101 Kuopio
13 Changes to the privacy statement
Ropo may, if necessary, amend and update this privacy statement. The changes may also be based on amendments to data protection legislation. We will notify of any changes on our website. Data subjects will be informed of essential changes.
This privacy statement was published on 23 May 2018 and updated on September 27th, 2021.