© 2020. Holm Bank AS
Valid from: 01.06.2020
Part I – description of the processing
Part II – the data subject’s rights
Part III – final provisions
Description of the processing
Holm Bank AS, registry code 14080830 (hereinafter referred to as the Bank)
Posti 30, 90504 Haapsalu, Republic of Estonia
Data protection officer: Indrek Keis, email@example.com
2.1. General data (name, personal identification code, existence of active legal capacity, gender, date of birth, marital status, citizenship, country of origin, right of representation, tax residency, and applicable level of risk).
2.2. Contact information (telephone number, e-mail address, postal address, and place of residence).
2.3. Details of the document (copy of the document, type, validity, status, issuer, digital identification data).
2.4. Information about income and the origin of the assets (sector and area of activity, job position, length of employment, amount and sources of income).
2.5. Information about the economic situation (existence and amount of tax arrears, existence and amount of liabilities, financial behaviour, settlement failures, related bankruptcy proceedings, creditworthiness information, ownership rights).
2.6. Information about politically exposed persons, sanctions, and associated legal persons (status of a politically exposed person, applicable sanctions, connections with legal persons).
2.7. Information about the use of financial services, websites and applications, and customer communication (applications submitted and contracts concluded, contract number, bank account details, IP address, website and social media usage information, details of the means of payment issued and transactions completed with the means of payment, application preferences, marketing preferences, recordings of calls).
3.1. Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (point (b) of Article 6 (1) of the GDPR):
3.1.1. deciding on provision of the service and defining the terms and conditions of the contract;
3.1.2. provision of the service and performance of contracts;
3.1.3. sending of notices related to the service or application for the service.
3.2. Compliance with legal obligations (point (c) of Article 6 (1) of the GDPR):
3.2.1. observing of the principle of ‘Know your Customer’;
3.2.2. prevention of money laundering and terrorist financing;
3.2.3. observing of the principle of responsible lending;
3.2.4. fulfilling of the reporting obligation of credit institutions;
3.2.5. observing of the risk management requirements for credit institutions;
3.2.6. fulfilling of the data retention obligation.
3.3. Legitimate interests of the Bank (point (f) of Article 6 (1) of the GDPR):
3.3.1. business management and product development;
3.3.2. customer service and ensuring of the quality thereof and customer satisfaction (incl. recording of calls);
3.3.3. verification and specifying of data;
3.3.4. processing of complaints and inquiries;
3.3.5. marketing offers based on the previous customer relationship;
3.3.6. risk management and implementation of security measures and risk management measures;
3.3.7. fulfilling of general legal obligations and observing of the advice and guidelines of supervisory authorities;
3.3.8. prevention of damages to the Bank, its customers, and cooperation partners;
3.3.9. development and performance of IT solutions and ensuring of the suitability for processing, integrity, and confidentiality of data;
3.3.10. protection of the rights of the Bank in the event of legal disputes, debt claims, or claims for damages.
3.4. Legitimate interests of the data subject or a third party (point (f) of Article 6 (1) of the GDPR):
3.4.1. prevention of damage to the data subject or a third party.
3.5. Based on the data subject’s consent (point (a) of Article 6 (1) of the GDPR):
3.5.1. the purposes specified in the consent.
The information related to the use of the websites or applications of the Bank is published on the respective website or in the respective application of the Bank.
5.1. The data subject (the data provided through the application, customer communication, services, websites, or applications).
5.2. National and public registries (incl. the registries which have been created in order to enable assessment of the creditworthiness of persons or for other similar purposes).
5.3. A third party or an authority which serves a public function.
5.4. Publicly available data (incl. the data available on the Internet).
6. THE COMPULSORY NATURE OF SUBMISSION OF DATA
6.1. The services of the Bank are used on a voluntary basis. Submission of data by the person is necessary in order to be able to use the services of the Bank. In the event of a failure to submit data, the Bank may refuse to provide services, restrict access to the services of the Bank, or cease provision of a service.
7.1. General profiling
The bank may use personal data to analyse the data subject’s financial situation, preferences, reliability, and risk behaviour and use this information to make decisions which may affect the data subject’s rights and possibilities in using the services of the Bank.
7.2. Automated decisions
7.2.1. The Bank may make an automated decision for the purposes specified in subsection 3.1, analysing the data subject’s general data (e.g. citizenship and risk level) and the information about their income, the origin of their assets, and their economic situation. The permissibility of entry into the contract based on the criteria for provision of a financial service coordinated by the supervision authority, the customer’s ability to perform the contract, and the likelihood of proper performance of the contract are taken into consideration in making an automated decision. With the decision, the Bank will define the specific terms and conditions of the contract which match the risk undertaken by the Bank.
7.2.2. The Bank may use automated decisions to achieve the purposes specified in subsection 3.2, by analysing the personal data which will help the Bank to prevent money laundering and terrorist financing and observe the principles of ‘Know your Customer’ and responsible lending.
7.2.3. The Bank may make automated decisions for the purposes specified in subsection 3.3 which will not result in legal consequences for the data subject or have a significant effect on them.
7.2.4. If the Bank makes an automated decision for the purposes specified in subsection 3.5, making of the automated decision will be interpreted as consent.
7.2.5. If an automated decision made by profiling results in legal consequences for the person (e.g. refusal to provide a service or ceasing of provision of a service), the person may request reviewing of the decision by an employee of the Bank.
8.1. If there are legal grounds and a lawful purpose, the Bank may transfer personal data to:
8.1.1. the companies which belong in the same consolidation group with the Bank (the Bank’s subsidiaries or other subsidiaries of the Bank’s parent company);
8.1.2. the persons and undertakings who are related to the provision of a service or performance of the contract (e.g. guarantors, co-applicants, notaries, payment and credit institutions);
8.1.3. the data processors who provide services to the Bank (e.g. providers of communications, IT, or postal services, etc.) or whose services are used by the Bank to protect its interests (e.g. bailiffs, collection companies, law offices, providers of information security services, etc.). An overview of the categories of data processors can be found on the website of the Bank;
8.1.4. managers of national or public data collections (incl. managers of data collections who collect and provide data for assessment of the creditworthiness of persons or who operate for other similar purposes);
8.1.5. the cooperation partners who have been authorised by the Bank to mediate applications, contracts, and inquiries;
8.1.6. in the event of transfer of the right of claim to a new creditor;
8.1.7. third parties, if the transfer of the data is required to protect the interests of the Bank in the event of a violation of the contract or damage caused;
8.1.8. public authorities and institutions which have a legal right to request transfer of the data by the Bank.
8.2. Personal data may be transferred to the data subject’s representative on the basis of a respective court ruling or a power of attorney accepted by the Bank or if the representative’s right of representation arises from the law. The Bank may request notarisation or attesting in an equivalent manner of a power of attorney which has been drawn up outside of the Bank.
8.3. Transfer of personal data in the cases specified above or set out in legislation will not be deemed violation of the obligation to maintain banking secrecy.
9.1. The personal data will be retained for as long as it is necessary to process the data for the purposes specified in subsection 3. The storage period may depend on the obligations arising from legislation or on the Bank’s legitimate interests.
The data subject’s rights
10.1. Data subjects can submit inquiries related to processing of their personal data on the website of the Bank or through the application or directly to the data protection officer of the Bank.
10.2. Inquiries about processing of personal data must be submitted in a format which can be reproduced in writing. The Bank may request submission of further information for the purposes of identification of the person who submitted the inquiry and for processing of the inquiry or request explanations of the inquiry in order to process an inquiry. The Bank will respond to inquiries within 30 days of the date on which the inquiry is received. If it is necessary to perform further inspections or inquiries in order to respond, the Bank may extend the period of responding to the inquiry by notifying the person who submitted the inquiry thereof.
10.3. If an inquiry is clearly unreasonable or excessive, the Bank may claim compensation for the reasonable expenses arising from processing the inquiry or refuse to process the inquiry.
10.4. If the data subject finds that processing of their personal data violates their rights, they may submit a claim for elimination of the violation to the Bank or contact a relevant supervisory authority or a competent court at any time.
11.1. The Bank will provide information about how, whether, and which personal data are processed by the Bank.
11.2. The Bank may limit disclosure of information if such disclosure may damage the rights or freedoms of the Bank or other parties or endanger fulfilling of the obligations arising from legislation.
11.3. The Bank may refuse to disclose information concerning the data which is processed by the Bank in the course of monitoring of a business relationship for the purposes of prevention of money laundering or terrorist financing, prevention of tax fraud or market abuse offences, observing of security measures, or implementation of risk management measures.
12.1. In the case of an application for rectification or supplementation of incorrect personal data, the Bank may request evidence which would form the basis for rectification or supplementation of the data in relevant cases.
13.1. Erasure of personal data may be requested under the terms and conditions specified in Article 17 of the GDPR if there are no circumstances which prevent the erasure. In the event of refusing to erase personal data, the Bank must justify the lawfulness of continued processing of the personal data.
13.2. The right to request erasure of personal data is not extended to situations in which there are legal grounds for continuing to process the personal data, especially if the processing is necessary for fulfilling of an obligation arising from legislation or for protecting the Bank’s interests in legal disputes or in the case of debt claims or claims for damages.
14.1. Restriction of the processing of personal data in the cases specified in Article 18 of the GDPR will not have an effect on the Bank’s right to process the personal data for the purposes of fulfilling the retention obligation arising from the law or for drawing up, submission, or defending of legal claims.
15.1. The personal data provided by the data subject can be transferred in a structured, commonly used, and machine-readable format by using the respective functionality of the website or application of the Bank or, in the case of a lack thereof, by requesting transfer of the data by submitting a respective inquiry to the Bank.
15.2. The Bank will process an application for transfer of data within one month or notify the person who submitted the inquiry of extension of the processing period by up to two months if this is necessary due to the complexity of the inquiry or due to a high number of inquiries.
15.3. The Bank may refuse to transfer the data or restrict the transfer if it would damage the rights of the Bank or a third party.
16.1. In the event of an objection submitted in relation to data processing which is conducted based on legitimate interests, the Bank will only continue to process the personal data if it can prove the existence of legitimate interest which outweighs the data subject’s interests, rights, and freedoms or if the processing is required for the purposes of drawing up, submission, or defending of legal claims.
16.2. In the event of an objection in relation to data processing which is conducted based on consent, the Bank will interpret the objection as withdrawal of the consent and cease processing of the data.
16.3. In the event of an objection in relation to data processing which is conducted for the purposes of direct marketing, the Bank will cease processing of the data for this purpose.
If the data subject has granted their consent to the Bank for processing of personal data for a specific purpose, the consent may be withdrawn at any time. Withdrawal of the consent will not affect the lawfulness of the processing which has occurred prior to the withdrawal.
The main place of business of the Bank is the Republic of Estonia. Processing of personal data by the Bank is subject to the supervision of the Data Protection Inspectorate (www.aki.ee/en, Tatari 39, Tallinn 10134, Republic of Estonia).
19.1. The procedure extends to the processing of personal data which occurred before publication of this procedure.
19.2. The Bank may amend the procedure in order to ensure that the information remains up to date and compliant with legislation. The valid version and previous versions of the procedure can be found on the website of the Bank.
19.3. The overview of data processors published on the website of the Bank is updated at least once per quarter.
The annual percentage rate is 29,97% under the following sample conditions: credit amount 8000 SEK,
fixed annual interest rate 26,5%, repayment periood 12 months, agreement fee 0 SEK,
amount of monthly payments 766,19 SEK, total amount payable by the client 9 194,28 SEK.
You are on a website of financial services provider Holm Bank AS.
Before entering into any agreement read the terms and conditions or consult with a specialist.