Principles of Customer Data Processing
We process personal data only to the extent necessary for the fulfillment of our defined purposes and, in doing so, we comply with all applicable laws and regulations, including in particular the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the laws governing our activities as a credit intermediary.
If you have any questions about the processing of your personal data, or if you wish to exercise any of the rights described below, please contact us at email@example.com.
1. What kind of personal data does Mifundo process, and for what purpose?
1.1 When you use Mifundo services on the platform, we process data about you that you have provided to us using our services, or that your co-applicant has provided to us (if the co-applicant does not use the platform). We will assume that you have given the co-applicant the opportunity to read this policy before you submit his or her information to us. In addition, we collect additional data from various databases (population register, credit info services).
We assume that you are registering as a user on our platform solely for the purpose of submitting a credit application through the platform, and we will only collect the information we need to fulfill the purposes described below.
We collect the following personal information about you:
Categories of personal data
- Personal identification data: first and last name, personal identification number (or date and place of birth), email address, telephone number, residential address, identity document details (in case of online identification), username, and user account password.
- Financial information: bank account and/or Tax and Customs Board statement details, income and liability details (amount, origin), bank account number, number of dependents, agreements showing liabilities and/or income, loan history (loan applications submitted, agreements entered into) and payment history (if the person has previously entered into agreements through our platform), and the amount and period requested.
- Data collected from the credit information services: various payment history data (including payment defaults, notices in the Official Gazette, credit score, etc.) and risk assessment, whether the person is subject to an international sanction and/or is a politically exposed person (PEP).
- Data collected from the population register: basic data on the person, place of birth and residence, other addresses, data on identity documents, data on legal capacity, data on e-residency, marital status, number of minor children, education, and date of arrival in Estonia.
- Communication data: our email correspondence or other data provided during communication with us.
- Credit agreement data: data on the conclusion of the credit agreement via the platform and on the performance of the credit agreement.
We process your personal data for the following purposes and on the following legal grounds:
Purpose of processing personal data and legal basis for the processing of personal data
- Enabling the use of the platform (personal identification details).The processing is necessary for the creation and performance of the user account and the customer relationship, i.e. to take action prior to the conclusion of the agreement and to perform the agreement (Article 6(1)(b) of the GDPR).
- * Facilitating the credit application, including the collection of necessary information and identity verification (personal identification data, financial data, data collected from population registers, data collected from credit information services, communication data). The processing is necessary for the actions prior to the conclusion of the credit agreement and for the performance of the agreement concluded with us (Article 6(1)(b) of the GDPR).The processing is necessary for the fulfilment of a legal obligation (Article 6(1)(c) of the GDPR) imposed on the creditor and us by the Creditors and Credit Intermediaries Act and the Money Laundering and Terrorist Financing Prevention Act.
- * Assessment of your creditworthiness and compliance with your obligations relating to the prevention of money laundering and terrorist financing before submitting your credit application to the creditor (personal identification data, financial data, data collected from population registers, data collected from credit information services, communication data, data on concluded credit agreements). The processing is necessary for the actions prior to the conclusion of the credit agreement and for the performance of the agreement concluded with us (Article 6(1)(b) of the GDPR). The processing is necessary for the fulfilment of a legal obligation (Article 6(1)(c) of the GDPR) imposed on the creditor and us by the Creditors and Credit Intermediaries Act and the Money Laundering and Terrorist Financing Prevention Act.
- * Finding potentially suitable creditors for you (personal identification data, financial data, data collected from population registers, data collected from credit information services, communication data, credit agreement data). The processing is necessary for the actions prior to the conclusion of the credit agreement and for the performance of the agreement concluded with us (Article 6(1)(b) of the GDPR). The processing is necessary on the basis of our and the creditor’s legitimate interest in identifying, on the basis of your profile and the criteria prescribed by the creditors, the creditors from which the applicant is most likely to obtain the best offers for the conclusion of a credit agreement and, on that basis, to transmit applications to the relevant creditors (Article 6(1)(f) of the GDPR).
- * Enabling the conclusion of a credit agreement on the platform (credit agreement details). The processing is necessary for the actions prior to the conclusion of the credit agreement and for the performance of the agreement concluded with us (Article 6(1)(b) of the GDPR).
- Sending a reminder (personal identification details). The processing is necessary for our legitimate interest in informing you about an outstanding credit application and enabling us to continue to process it by sending you a notification (Article 6(1)(f) of the GDPR).
- Fulfilling our other legal obligations, e.g. in the retention of documents (all categories of personal data subject to a legal retention requirement). The processing is necessary for the fulfilment of a legal obligation (Article 6(1)(c) of the GDPR) imposed on us by, inter alia, the Creditors and Credit Intermediaries Act, the Money Laundering and Terrorist Financing Prevention Act, and the Accounting Act.
- Statistics and analysis on the use of the platform (all categories of personal data). The processing is necessary for our legitimate interest in analyzing and improving our services, including for the purpose of further developing the logic underlying the assessment of creditworthiness and the selection of creditors (Article 6(1)(f) of the GDPR).
- Making marketing offers (all categories of personal data).The processing is based on your consent to receive personalized offers from us (Article 6(1)(a) of the GDPR).
- Protecting our rights (all categories of personal data that are relevant for the resolution of a dispute). The processing is necessary for the purposes of our legitimate interest in the protection of our rights in the event of a possible dispute or claim against us (Article 6(1)(f) of the GDPR).
* In order to provide you with a high-quality credit intermediation service, we work closely with the creditors who offer credit agreements through the platform. These are our cooperation partners with whom we have signed relevant agreements (see the list below). With regard to the purposes of the processing of personal data marked *, in the processes concerning the collection of personal data for the purposes of the credit application, the assessment of your creditworthiness and the identification of potentially suitable creditors, we process your personal data as co-responsible processors with creditors that are our cooperation partners. If you have any questions about the processing for these purposes, or if you wish to exercise your rights, please contact us at firstname.lastname@example.org.
1.2 When you contact Mifundo (e.g. by email, post or phone), we will process the personal data that you have provided to us (e.g. name, contact details, and communication details). We will do so on the basis of our legitimate interest in responding to and/or resolving your request, including, for example, providing you with user support (Article 6(1)(f) of the GDPR).
1.3 If you are the representative/contact person of one of our cooperation partners, we will process your personal data that we have received from you or from a cooperation partner associated with you (e.g. name, work contact details, communication details, data requested when creating an account with the creditor on the platform). We do so on the basis of our legitimate interest in performing, managing and maintaining contact with the partner (Article 6(1)(f) of the GDPR).
1.4 When you visit the Mifundo website, we may receive personal information about you through the cookies we use on our website. For more information on cookies, please read the Cookies Policy on our website.
Where we process personal data on the basis of our legitimate interest, we have first carried out a proper evaluation of conflicting interests to assess whether our interest in processing the personal data outweighs your interests and the rights and freedoms for which the personal data are protected. You can always object to such processing. You can read more about exercising your rights below.
Where we process personal data on the basis of your consent, you always have the right to withdraw your consent (e.g. by clicking on the link at the end of the offer or by sending us an email). However, please note that the withdrawal of consent does not affect the lawfulness of the processing that took place prior to such withdrawal.
2. With whom does Mifundo share personal data?
Mifundo works in close cooperation with creditors when providing credit intermediation services, from whom you can receive offers to enter into a credit agreement through the platform and with whom you can enter into credit agreements through the platform. When applying for credit, you may choose to exclude certain creditors from whom you do not wish to receive an offer. In this case, we will never submit the application to such a creditor. However, we also use tools that allow us to prioritize the creditors we partner with to identify those from whom you may be able to obtain the best offer in the circumstances of your particular credit application (cf. in Chapter 4).
Our list of partners is constantly updated, so you can get the most up-to-date information about our current partners by selecting which creditors you wish to exclude from your application before submitting a credit application on the platform. This list identifies all our creditor partners to whom it is currently possible to submit applications and who may, therefore, also receive your personal data.
We may share with our creditor partners, at their request and by agreement between us, any information we have about you, including, without limitation, information that you have provided to us or that we have collected about you when you use our services, including credit analysis information. Such purposes of processing are described in more detail above. We will treat your submission of a credit application as your willingness to share your personal data that is relevant for the purposes of the credit application with the creditors with whom you have not opted out of sharing personal data. However, please note that the offer of a credit agreement and the terms and conditions of the credit agreement will be decided independently by each creditor, who will also process your personal data as a separate controller. For more information on how each creditor processes your personal data, please refer to the relevant creditor’s terms and conditions for processing personal data.
Authorized processors. In the course of our business activities, we may also need to share your personal information with third parties. For example, some of our service providers may have access to your personal data when they provide services to us in support of our day-to-day business (e.g. various IT service providers and accounting service providers). Such service providers will only process personal data on our instruction as processors operating on our behalf, and we remain responsible for them.
Third parties. In addition to authorized processors and creditor partners, we may, in certain cases, need to share your personal data with third parties who process your personal data as independent controllers. Such third parties include:
- Our auditors, legal service providers and other consultants, where the sharing of personal data is necessary in the context of a service provided to us.
- Managers of databases and registers (e.g. the population register and the register of insolvencies of the credit information services), when we submit queries to the registers for the above-mentioned purposes.
- Public authorities and supervisory authorities (e.g. the Tax and Customs Board, the Police and Border Guard Board, and the Financial Supervision Authority), if we make a request to them or receive it from them for the purposes described above that requires the sharing of your personal data.
We may also need to access your personal data where this is relevant in connection with the restructuring, merger, acquisition, sale or other transaction of Mifundo or in connection with the assignment of claims.
We will only share your personal information with third parties where we have a legal basis to do so.
We do not process personal data in countries outside the European Economic Area or outside of countries that have been assessed by the European Commission as providing an adequate level of protection for personal data. In the event that any of the creditor partners, processors or third parties with whom we share personal data process personal data in any such country, we will apply additional safeguards in accordance with the GDPR (e.g. by entering into an agreement based on standard contractual clauses approved by the European Commission).
3. How long does Mifundo retain personal data?
Mifundo will retain your personal data for as long as necessary to fulfill the purpose for which the personal data is processed. We often need to retain personal data in accordance with the time limits set out in applicable legislation. When we no longer need to retain personal data, we delete it or make it anonymous. For example, we retain personal data for the periods set out below:
- Credit file data: 3 years from the expiry of the credit agreement (in accordance with the Creditors and Credit Intermediaries Act).
- Data relating to identification, transactions and the establishment of a business relationship: 5 years from the end of the business relationship (in accordance with the Money Laundering and Terrorist Financing Prevention Act).
- Accounting records and other business documents necessary for a clear description of economic transactions: 7 years from the end of the relevant financial year (in accordance with the Accounting Act).
- Other data related to agreements and transactions: 10 years from the end of the agreement or transaction.
4. In which situations do we use profiling and/or make automated decisions?
In certain situations, we will create a profile of you based on your personal data, which may, in turn, be used to make an automatic decision. We use such automated solutions to mitigate the risk of potential human error and to speed up the credit application process so that you can get an overview of potential offers for a credit agreement as quickly as possible. We constantly review the algorithms underlying these processes and improve them to avoid any errors or inaccuracies. You always have the right to ask us for further explanations about exactly how the decision was made about you, and you have the right to challenge an automated decision by contacting us at email@example.com.
Automatic creditworthiness assessment on the platform (credit analysis). We use an algorithm-based automated credit scoring solution to calculate your solvency and risk score. To do this, we take into account the information you provide on your credit application and the information we collect about you (including, for example, income, liabilities, and demographic characteristics) and your past payment history. Based on the profile, an automated decision is made as to whether or not your creditworthiness is sufficient to obtain an offer to conclude a credit agreement from one of our creditor partners.
Selection of potential creditors. We use an algorithm-based automated solution that allows us to estimate which creditors would potentially make you an offer in the first place, and which creditors are likely to make you the best offer. To do this, we take into account your profile, the risk appetite profile of the creditors (including the minimum criteria they set) and your past behavior. This allows us to forward credit applications only to those creditors from whom you have a realistic chance of receiving a suitable offer. However, you always have the option to choose to have your credit application sent to all creditors offering credit through the platform, and whose minimum criteria your credit application meets. In this case, the information will be transmitted to the creditor by groups, and the offers will also be displayed by groups accordingly.
Selecting marketing offers that might be of interest. We will also send you personalized offers about our activities and news if you have given consent in your account.
5. What are your rights in relation to your personal data?
If you have any questions about the processing of your personal data, or if you wish to exercise any of the rights set out below, please contact us at firstname.lastname@example.org.
You have the right to exercise various rights in relation to your personal data, but please be aware that these rights are not absolute, and we may not always have obligations or be required to take the actions requested by you. You have the following rights in relation to your personal data:
- Request us to provide you with confirmation of the processing of personal data and provide you with all personal data we process about you. To do this, please explain in your request whether you want confirmation of what personal data we hold about you and/or whether you want a copy of your personal data.
- Request for your personal data to be corrected. This assumes that your personal data is incorrect or incomplete. If this is the case, we will correct and/or complete your personal data as requested by you. To do this, we ask you to specify in your request which personal data needs to be corrected.
- Request the deletion of your personal data. You can request this if (i) we no longer need the personal data for the purposes for which we collected it; (ii) you withdraw your consent to the processing of personal data, and we have no other legal basis on which to continue to process it; (iii) you object to our processing of your personal data, and we do not have compelling legitimate grounds for continuing the processing of your personal data or you object to our processing of your personal data for direct marketing purposes; (iv) we have processed your personal data unlawfully; (v) the personal data must be erased in order to comply with a legal obligation. However, if, despite the foregoing, we need to continue to process personal data in order to comply with a legal obligation or to protect your rights, we may not be able to delete such personal data. In any case, we will explain why we cannot delete personal data in such cases.
- Request to restrict the processing of your personal data. This will be the case if (i) you have pointed out that the personal data is inaccurate and we are verifying its accuracy; (ii) the processing of personal data is unlawful, but you do not want to delete the data, but limit its processing; (iii) we no longer need the personal data for the purposes of the processing but you need it for the purposes of preparing, submitting or defending legal claims; (iv) you have objected to the processing of personal data and we are verifying whether our legitimate grounds for processing outweigh the reasons for which you want the processing to be stopped. Even if the processing of personal data is restricted, we may process such data where (i) you have given your consent; (ii) the personal data is necessary for us to prepare, submit or defend legal claims; (iii) the personal data is necessary for us to protect the rights of a natural or legal person; or (iv) the processing of the personal data is necessary for an important public interest.
- Request the transfer of your personal data. You may request that we disclose your personal data in a structured, commonly used and machine-readable format and you can transfer that data to another controller (or request that we transfer the data) where the processing is based on your consent or on an agreement between us and the personal data is processed by automated means.
- Object to the processing of personal data. You have the right to object to the processing of your personal data where we process it on the basis of your or a third party’s legitimate interest. If you object, we will not process your personal data further unless we can demonstrate that there are compelling legitimate grounds for such processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
- Withdraw your consent to the processing of your personal data. If the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. However, please note that this does not affect the lawfulness of the processing that took place before the withdrawal of consent.
We will respond to your request within one month unless there are circumstances that require us to take longer to respond. In any case, we will inform you of this within one month.
You also have the right to lodge a complaint with the Data Protection Inspectorate if you believe that the processing of your personal data has not been carried out in accordance with applicable law and that your rights have been infringed (the address of the Data Protection Inspectorate is Tatari 39, 10134 Tallinn, Estonia, phone +372 627 4135, email address: email@example.com). If your habitual residence, place of work or place of infringement is in another EU country, you also have the right to lodge a complaint with the data protection supervisory authority of that country.
6. Can we change these terms and conditions?
Yes, but we will let you know if we make any changes via email and the platform.
The Principles on Customer Data Processing were last updated on 29.09.2022.