Privacy policy – For customers

OK Perintä Oy is committed to upholding the rights of data subjects and the protection of personal data. This privacy statement describes how OK Perintä Oy collects, processes, stores and protects your personal data.

This privacy statement contains the information to be provided under Article 14 of the General Data Protection Regulation (EU 2016/679) in cases where personal data have not been obtained from the data subject.

1. Data controller

OK Perintä Oy
Business ID: 0873725-0
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland

2. Contact person for privacy matters

Data Protection Officer Jenni Vainionpää
OK Perintä Oy
Tiilitehtaankatu 7 A
FI-65100 Vaasa, Finland
privacy@okperinta.fi

3. Name of filing system

OK Perintä Oy customer database

4. Legal basis and purpose of processing data

The legal basis for processing data under the EU General Data Protection Regulation is based on the performance of a contract (Article 6.1(b)) and the execution of the legitimate interests of the controller (Article 6.1(f)). As the company is engaged in licensed and regulated professional debt collection activities, the processing of personal data can be deemed appropriate under the aforementioned grounds.

The purpose of processing personal data is the collection of receivables resulting from a debt relationship.

5. Category of data subjects

The category of data subjects comprises the customers in the debt collection database.

Other personal data necessary for the purposes of carrying out debt collection commissions may also be stored in the filing system. These may include the personal data of the client, the authorities and representatives of the customer.

6. Data content of the filing system

Name
Personal identity number
Postal address

Native language
Telephone number
Email address
Call recordings
Other information necessary for the performance of the commission provided by the client
Personal credit information and other information necessary for the performance of the commission obtained from public registries
Information on the debt and its payment
Information on debt collection measures
Other information necessary for the performance of the commission

7. Regular sources of data

The initial inclusion of personal data in the filing system is made primarily on the basis of information received from the client placing the commission.

Personal data may also be collected from the data subject or from courts, enforcement authorities, Legal Register Centre, credit registers, Tax Administration, local register offices, Population Register Centre, telephone directory service providers, and police authorities. The company notes that the aforementioned list is not intended to be exhaustive.

8. Regular categories of recipients

Personal data in the filing system may be disclosed within the limits of and to fulfil the obligations of commission contracts and legislation valid at a given time to, for example, the client, the data subject, courts, enforcement authorities, credit register companies, Population Register Centre, local register offices, telephone directory service providers, police authorities, and the Legal Register Centre. The company notes that the aforementioned list is not intended to be exhaustive.

In addition, the controller may make use of an external subcontractor or software service provider to process personal data on behalf of the controller. In such cases, the controller is responsible for ensuring the lawfulness of processing.

9. Transfer of data outside the EU or EEA

As a rule, we process your personal data within the European Economic Area. However, processors acting on our behalf and their sub-processors may be located and/or transfer data outside the European Economic Area. In addition, within Group companies, personal data may be transferred outside the European Economic Area for the purposes of appraising outstanding amounts of debt to be purchased and audits carried out by the Group.

As we may need to transfer personal data to countries outside the European Economic Area (EEA) or places with different data protection rules, we take steps to protect your data, including:

-Adequacy Decisions: If the European Commission says a country has good data protection, we can send data there without extra safeguards, including EU-US Data Privacy
-EU-US Data Privacy Framework: The European Commission has approved data transfers from the European Economic Area (EEA) to the United States under the EU-US Data Privacy     Framework. Under this framework, your personal data may be transferred to participating U.S. companies without the need for additional safeguards.
-Standard Contractual Clauses: We might use these approved contracts to ensure your data is safe when it goes outside the EEA.

The information about the transfers can be obtained through contacting our data protection officer mentioned in the section 2.

10. Period of storing personal data

Personal data will be stored for the period required for the performance of the debt collection commission. In such cases, the company will update the personal data of the subject regularly, in order to ensure that the data are up to date. In addition, documents and information concerning debt collection are stored for the period required by legislation valid at a given time. The storage period may be based on the requirements of good practice in debt collection or the Accounting Act.

The company will store call recordings of telephone conversations with data subjects for a period of three years. If the debt claim is contested, call recordings may be stored until the resolution of the matter is legally valid.

11. Profiling

As part of its processing activities, the company may use personal data for purposes of profiling. Profiling is made primarily on the basis of personal data provided in the commission and other available public information (e.g., credit information). The purpose of profiling is to assess the payment behaviour of data subjects in order to allow the controller to appropriately proportion its debt collection measures. The profile of the data subject may be compared with the profiles created from other data subjects. However, the company does not exercise any form of automatic decision-making that is based on profiling and that would have legal or other significant repercussions on the data subject.

12. Description of technical and organisational protective measures

The processing of personal data is carried out with due diligence. Members of personnel who process personal data receive initial training and regular yearly training. Data in the filing system may only be processed by individuals entitled to do so by reason of their duties. Processors of personal data are subject to a non-disclosure obligation.

The company processes the personal data of the data subject in both printed and electronic form.

Printed material

Printed material is scanned into an electronic form and stored as part of the filing system. After this, the material is destroyed by disposing of it in a locked security bin. Printed materials that the company cannot destroy (due to requirements on original documents) are stored in a locked deposit. The company premises may be accessed only by personnel in an employment relationship with the company.

Electronic material

The company has implemented the technical and organisational measures it has deemed necessary to protect the filing system from unauthorised access and use. Such measures include the use of various username and password combinations and secure data connections.

13. Right of access and right to rectification

The data subject shall have the right to access their personal data stored in the filing system. The request for access must be made in writing and ensure that the company is able to verify the identity of the data subject. If necessary, the controller may ask the individual requesting access to prove their identity. Requests for access shall be presented to the Data Protection Officer (section 2). Rectification may be requested once each year without additional fee, after which the company shall charge an administrative fee of EUR 20 for each further request as compensation for the work caused. The company shall respond to the individual presenting the request within the period of time specified in the GDPR (usually one month from the request).

If a data subject finds their data to be inaccurate, they have the right to request that their data be rectified or erased, unless such data is necessary for the performance of debt collection. The controller must notify third parties with whom they have shared the data or from whom they have received the inaccurate data of the rectification unless this would require disproportionate effort. Requests for rectification shall be presented to the Data Protection Officer (section 2).

14. Other rights of data subjects

Data subjects have the right to request the restriction of processing until, for example, the controller has verified the accuracy of the data. Data subjects have the right to object to direct marketing at any time. The company notes that it does not carry out direct marketing activities aimed at customers in the debt collection database due to their standing. However, the company may carry out targeted electronic marketing activities for those customers visiting the company website that has given their consent. In this respect, the company refers to the report on use of cookies issued by the company.

Data subjects have the right to file a complaint to the regulatory authorities on matters related to the processing of their personal data.

15. Changes to the privacy statement

This privacy statement may be updated at a later date, for example, due to changes in the company’s procedures on the processing of personal data or changes in official regulations or legislation. This privacy statement was last updated on 11 November 2020. The updated version will be published on the company website within three days from the update. Earlier versions will be found at the company.