Privacy Policy

Data protection

We process personal data for various reasons and we are committed to protecting our customers’ rights and privacy and keeping their information safe. This Privacy Policy describes how we collect, use, store and protect personal data in a safe way.

Saldo Finance Oyj acts as the controller. By using our website, services and products and having contact with us, you agree that your data can be collected, processed and disclosed in accordance with this Privacy Policy.

Why do we collect your data?

Collecting data is necessary in order to provide our customers with services and products, as well as to comply with and operate within the requirements of the law. We use data to develop our operations and products, as well as to communicate with our customers.

Information we collect

Personal data is primarily collected directly from our customers. This information includes, for example, your name, national identity number and address information. We also collect information about the use of our products and services. However, we also need other information, which we use to complement the primary information and to ensure that the information is accurate and up to date.

Data recipients

In principle, we do not disclose personal data. However, information can be disclosed with our service providers in order to provide better service for our customers, make better informed credit decisions and operate in a way required by law.

Your rights concerning your personal data

Our customers always have the right to review the personal data we have collected and update any possibly incorrect or expired information, as well as to request the deletion of personal data which is not necessary for processing, or prohibit or cancel direct marketing, marketing surveys or polls.

The use of automated decision-making system

Our credit decisions are based on automated decision-making. Our customers have the right to request that their credit decisions will be made manually, to express their opinion or dispute automated decisions, when the decision produces legal effects concerning them or that significantly affects them in a similar way.

1. Controller

Saldo Finance Oyj (Business ID 2360614-4),

Juhana Herttuan puistokatu 3,

20200 Turku,

FINLAND

Tel.: 06000 55000 (2,00 €/min + pvm/mpm, queuing costs pvm/mpm)

Email: asiakaspalvelu@tact.fi

2. Party who manages the register

Controller’s contact person: The data protection officer.

Access requests: tietosuoja@tact.fi,

or in writing to

Saldo Finance Oyj / Data Protection,

Juhana Herttuan puistokatu 3

20200 Turku,

FINLAND

Legal questions about processing personal data: The data protection officer

3. Register name

The customer register of Saldo Finance Oyj

4. The purpose and legal basis of processing personal data

The purpose of processing personal data is to manage tasks and develop services in consumer credit operations, make credit decisions, identify and recognise data subjects, manage customer relations and communications, carry out risk management and direct marketing, as well as targeting services to customers and complying with regulations and government guidelines regarding the storage of information, reporting and information requests.

The personal data stored in the register will also be used to profile customers in order to accelerate and enhance the credit decision process. Profiling is necessary. The personal data is also used in order to make a credit agreement between the controller and the data subject, as well as to fulfill the controller’s legal obligations.

As regards direct marketing, personal data is processed with the data subject’s consent to ensure the legitimate interest of the controller.

If the data subject does not deliver the requested information related to making a credit agreement, the controller cannot accept or process the data subject’s credit application.

The controller and the other companies that belong to the same corporation at the time, as well as their partners, have the right to use and disclose the register’s data for justified purposes (such as direct marketing, distance selling and other direct marketing, market surveys and polls as well as other related statistics and mailed deliveries) in accordance with the Data Protection Act of Finland.

The controller can record telephone conversations between the customer and the customer service and use these recordings to verify customer service events and to train customer service personnel.

5. Retention periods for personal data

Personal data is processed for the duration of the contractual relationship. After the contractual relationship has ended, the data is deleted after 10 years in accordance with the controller’s deleting process.

If the credit applicant and the controller do not enter into a credit agreement, the received personal data will be removed after 24 months starting from the day the application was received.

The controller and other companies that belong to the same corporation at the time can process personal data after the contractual relationship has ended for direct marketing purposes in accordance with the applicable laws.

6. Description of data subject groups, register’s information content and personal data groups

Basic information about an individual, such as a customer ID, national identity number, name, town, language, rank, profession, education, employer (name and telephone number), starting date of customer relationship, address, credit and default information

Code information, such as status information (including estate, guardianship, bankruptcy, debt collection activities). Contact information, such as telephone numbers, email addresses, IP address.

Address information, such as delivery address, postal number and town, direct marketing prohibition.

The person’s customer information, such as account, credit, contract and application information, or information about how they are involved in aforementioned customer information.

Information required by legal obligation, such as the necessary information required by the law regarding the investigation and prevention of money laundering and terrorist financing.

The information registered with a direct marketing register including the person’s basic information: name and contact information.

7. Regular sources of personal data

Personal data is collected from the data subject, the Digital and Population Data Services Agency of Finland, the credit information register of Suomen Asiakastieto Oy or Bisnode Finland Oy, Posti Group Oyj, official registers to the extent permitted by law, as well as information regarding previous credits received from other creditors with the applicant’s consent in order to process their credit application.

In addition, personal data is collected from independent credit intermediary companies when the applicant submits their credit application to a credit intermediary. If the applicant does not enter into a credit agreement with Saldo Finance Oyj, the applicant’s personal data is deleted from the controller’s customer register in accordance with section 5.

8. Disclosure of information

Information can be disclosed to the extent necessary to the companies that belong to the same corporation as the controller, as well as other service providers and debt collecting partners regarding debt collection. The information can also be disclosed to other creditors with the customer’s consent through Suomen Asiakastieto Oy’s mutual system.

The controller may disclose information to the extent permitted and limited by current law, for example when answering requests for information from authorities.

In some cases, we might transfer personal data outside the European Economic Area. We perform these transfers only when Data Protection Regulations give them a legal basis. A basis could be that the European Commission has decided that the country in question has an adequate level of data protection, or the transfer is carried out using appropriate safeguards.

9. Data protection principles

Guidelines have been established regarding the use of customer register, and the register’s users must be identified. Not only are the users identified, but their access privileges and the registration of the access rights are also monitored carefully. The location and protection of devices which store the register have been established with care, and appropriate safeguards have been placed to protect the files and information. Documentation which has not been stored electronically is being stored appropriately in a safe and locked facility. Appropriate access control has been set up in the controller’s facilities.

10. Rights of the data subject

The data subject has the right to

request access from the controller to their personal data, rectification of their data, erasure of their data, to restrict the processing of their data, or object to the processing of their data or transferring it from one system to another;

to review and correct their personal data when necessary. The request must be submitted to the controller in writing. The data subject has the right to change the incorrect information about them in the register.

to the extent that the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time without changing the legality of the processing performed before the consent was withdrawn;

demand human involvement in automated decision-making, such as profiling;

express their opinion and dispute a decision concerning profiling; make a complaint about the data processing to the Data Protection Ombudsman.

The customer always has the right to prohibit the use of their data for direct marketing and market survey purposes.

11. Right of access

The data subject has the right to know what information has been stored about them into the register, or whether their information has been stored in the register. Signed access requests must be submitted in writing to the company’s postal address.

12. Right to rectification

The controller must either on their own initiative or because of the data subject’s demand to rectify, remove or complete inaccurate, unnecessary or incomplete personal data.

If the controller does not rectify the information, the controller must give a written justification for their decision with reasons why the data subject’s request has been denied. The data subject can request that the Data Protection Ombudsman reviews this decision.

The controller must inform all recipients of the personal data about the rectification, and inform the sources of this inaccurate information if informing them is possible and would not involve disproportionate effort.

13. Cookies and tracking

The controller collects, processes and analyses information related to the use of their website. Network traffic data is information related to website users which is processed in order to send, deliver and enable communications over the communication network.

The controller uses cookies and similar technology to deliver products and services to customers, offer a safe network environment, carry out marketing, enable improved customer experience online, track website analytics and offer as interesting content as possible. This data is not used to identify individual users.

The customer can select from the browser settings whether they accept cookies. If cookies are not accepted, the person is able to use the website, but the selection can limit the functionalities of the website and the services.

More information about cookies can be found from the controller’s website.

14. Amendments to Privacy Policy

We continue to improve and develop our services, products and website which means that changes can be made to our Privacy Policy. If the changes are significant, we will inform the data subjects about them when required by law, and this notification will be posted on the controller’s website.