Personal data protection policy of Agency for Control of Outstanding Debts JSC
For us, Аgency for Control of Outstanding Debts JSC (the Company), the protection of your personal data is of primary importance. Therefore, we would like to inform you on what grounds, for what purposes, within what periods and by what means your personal data are processed when you visit our website: www.debtagency.bg and when collecting outstanding debts. We strictly adhere to the applicable data protection regulations in each operation of personal data processing. The General Data Protection Regulation 2016/679 ("GDPR") on the protection of natural persons with regard to the processing of personal data shall apply to the territory of the EU, including Bulgaria, with effect from 25 May 2018). It provides you with enhanced data protection rights, to which our more detailed obligations also correspond; more information on this issue may be found below in this Personal Data Protection Policy (the Policy.
This Personal Data Protection Policy shall explain and govern:
- how and when we collect your personal data, and what information we collect;
- how and why we use your personal data; and
- your rights to control your personal data.
Please carefully read this Personal Data Protection Policy. By accessing and using our website and services, you confirm that you have had an opportunity to read this Policy, that you understand it and that you agree to be bound by it. If you fail to do so, you must immediately cease using our website and any services provided by us.
We may amend this Policy from time to time in order to comply with applicable laws and regulations or meet changing business requirements. You are encouraged to periodically review this page for the latest information on our privacy practices and amendments to our Personal Data Protection Policy. Every time we make an amendment to the Policy, we will notify you of possible effects of the amendment without delay and in summary on our website www.debtagency.bg.
II. General Information.
1. Some terms for better understanding of this Policy:
- “Personal Data” – means any information relating to a natural person, which separately or in combination with other information, may result in their identification or may identify them.
- "Data Subject" – means any alive natural person who is identified or identifiable by means of processed personal data.
- “Personal Data Processing" – means any action that we carry out or may carry out with your personal data, including but not limited to their collection, analysis or destruction.
- “Data Controller" – with regard to personal data it controls, this is Аgency for Control of Outstanding Debts. We define the purpose of your personal data processing, on any of the legal grounds to this effect; in principle, we also define the methods for such processing – for example, the technical infrastructure and applications used for the processing. We assume the responsibilities with regard to the security and protection of your personal data.
- "Data Processor" – this is a third party that processes your personal data upon our assignment, whereas Аgency for Control of Outstanding Debts has strictly defined the purpose and methods of processing, and has verified whether the entity meets the requirements of GDPR. For example, such data processor may be an agency, which is responsible for a marketing campaign of Аgency for Control of Outstanding Debts in social media and issues reports for its success.
- “Personal Data Breach” means any breach of security, which results in accidental or unauthorized destruction, loss, change, unauthorized disclosure of or access to personal data that are transferred, stored or processed otherwise.
- “Digital Archives” – the website www.debtagency.bg, all landing pages supported by the Company, web, native and mobile applications accessible to customers.
2. Who we are?
Аgency for Control of Outstanding Debts JSC е is a company, whose objects of activities include acquisition of loan obligations and other forms of financing (factoring, forfeiting, etc.), as well as any other activity not prohibited by law.
3. How can you contact us?
4. Who is the person within the organization responsible for the protection of my personal data and how can I contact him/her?
5. Type, purpose and grounds of processing of personal data collected by Аgency for Control of Outstanding Debts JSC:
|Provision of third-party partners in view of potential refinancing||Consent|
|Personal identity number, date of birth||
|Provision of third-party partners in view of potential refinancing||Consent|
|Telephone conversation record||
|Identity card data, the data for each nationality of the person||Assessment of the likelihood of collecting debts||Contract|
|Processing and Responding to Claims / Processing Appeal, Payment and Complaints||Legal obligation|
|Telephone/ e-mail address/ short text messages (SMS)||
|Provision of third-party partners in view of potential refinancing||Consent|
|Address (permanent, current)||
|Data from the Central Credit Register to BNB||Debt collection||Contract giving rise to the debt|
|Provision of data as a financial institution||Legal obligation|
|Data on validity of an identity card from the Ministry of Interior||Debt collection||Contract|
|Data from the Registry Agency||Debt collection||Contract|
|Data from the Register oof bank accounts and Save Deposit Boxes BNB||Debt collection||Contract|
|Other data from the credit file provided by the assignor of the debt collection||Debt collection which include actions to determine the elements of the debt (identification of the debtor and amount of the claim)||Contract|
|Bank accounts, motor vehicles, remuneration from the NRA and NSSI, data on property owned by the Local Taxes and Fees department at the debtor's permanent / current address, data on legal proceedings instituted||Debt collection which include actions to determine the elements of the debt (identification of the debtor and amount of the claim)||Contract|
|Contact person details||Ensuring contact with the debtor in order to fulfill his obligations under a cash loan contract||Legitimate interest|
|Employer’ data and details||Execution of loan contract / contact with the borrower in order to fulfill its obligations under a cash loan contract||Legitimate interest|
|Fill name, telephone number, e-mail address, as well as other personal data provided at the initiative of the data subjects in connection with making inquiry, complaint and / or complaint via chat, contact form on the website www.debtagency.bg, to the Company's email address, by telephone or to the storage medium of the Company's address.||Processing and Responding to Claims / Processing Appeal, Payment and Complaints||Contract|
Your personal data will be processed by Аgency for Control of Outstanding Debts JSC only in accordance with the applicable data protection regulations. When you communicate with us through any of the communication channels, you acknowledge that the data you have provided are accurate, correct and up-to-date.
6. For how long will my personal data be stored?
Personal data shall be stored for the time periods required to achieve the purposes for which they have been collected. After achieving the purposes for which personal data have been collected, we will destroy them immediately. In the event that after achieving our purposes we decide to store the processed personal data for statistical purposes, this will be done in the form of storage of anonymous data that cannot identify you in any way.
Аgency for Control of Outstanding Debts JSC shall take all necessary technical and organizational measures for the destruction of data that are no longer necessary, except in cases where there are legitimate grounds for Аgency for Control of Outstanding debts JSC to process them for a longer period of time; when you make a request for restricting processing in accordance with your rights detailed below; or with a view to or compatible with the original purpose for processing of which you will be informed in a timely manner.
The Аgency for Control of Outstanding Debts JSC stores the collected personal data in the following terms:
(a) where the data are lawfully processed in connection with the acquisition of a claim under a cession contract - for a period of 5 years;
(b) where the data are processed on the basis of consent obtained, until the consent is expressly withdrawn.
(c) when the data are processed for the protection of the realization of the rights and interests of the Company, which have a justified advantage over the interests of individuals - until the right is extinguished and / or the interest ceases to exist not less than five years, as access to the personal data of the clients from the telephone conversations is provided by the persons who maintain the information systems of the Аgency for Control of Outstanding Debts JSC in Bulgaria and the call centers for customer service in Bulgaria.
After these deadlines have expired, if there is no other reason for processing the data, they will be deleted. In order to obtain and analyze information related to financial products and services used, as well as to improve services, the Company may only delete part of the data. In such cases, it shall continue to store such part of the data as to prevent individuals from being subsequently identified.
7. Will my personal data be accessible to third parties?
The following categories of persons, that may be processors on the grounds of contracts entered into with the Company, may also have access to your personal data, namely:
- persons supporting the information systems of the Company located in the Republic of Bulgaria, as well as, where appropriate, the customer service centers in the Republic of Bulgaria;
- persons entrusted with the activities related to drawing up, printing, compiling, delivery (including by SMS-messages or by electronic means) of written correspondence sent by the Company to its debtors;
- persons that by virtue of a contract with a Company shall provide assistance in connection with the servicing and collection of its debts from customers;
- accounting companies,
- postal and mobile operators,
- private and state judicial enforcement agents,
- companies providing electronic communications networks and/or services,
- public and/or municipal bodies if there exists a legal obligation.
- Companies and companies, part of the group of Management Financial Group AD (MFG)
Data are provided where there are guarantees that the processors have taken appropriate legal, technical and organizational measures ensuring compliance with applicable data protection laws and protection of your rights and freedoms. Our partners may not use personal data for their own purposes or provide them to third parties without an explicit instruction on part of Аgency for Control of Outstanding Debts JSC.
Аgency for control of outstanding debts JSC provides on a regular basis personal data on its borrowers to the Central Credit Register by virtue of its legal obligation. The Company is obliged to provide personal data on its borrowers to competent authorities and institutions pursuant to applicable law and when such data are lawfully requested.
Аgency for Control of Outstanding Debts JSC does not transfer personal data to a third country or international organization outside the European Union.
Аgency for Control of Outstanding Debts JSC is a joint personal data controller with companies and companies, part of the group of Management Financial Group AD (MFG), which are all MFG related companies within the meaning of paragraph 1, subparagraph 1 from the Trade law as in the case of processing of your personal data by joint controllers, you will be explicitly informed within the meaning of Article 99 of the Obligations and Contracts Act and under Articles 13 or 14 of the General Data Protection Regulation ("GDPR ").
8. How we protect your personal data?
To ensure adequate protection of the data of the Company and our debtors, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and the General Data Protection Regulation.
The Company has established structures designated to prevent misuse and security breaches, and has also appointed a Data Protection Officer supporting the processes related to protecting and ensuring the security of your data.
For the purposes of ensuring maximum security when processing, transferring and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
III. Your rights
As a data subject, whose data are processed by Аgency for Control of Outstanding Debts JSC, you shall have rights described in details below.
Аgency for Control of Outstanding Debts JSC shall meet your requests without delay, within 30 calendar days after submitting them. By our decision, we provide or refuse access and/or information requested by the applicant, but we always justify our response. For the purpose of the website of the Company, there is a link to this Policy published on a clearly visible and accessible position.
Applications concerning the exercise of your rights shall be submitted:
- in person or by a proxy who has been expressly authorized by you through a notarized power of attorney at the Company’s registered office situated in the city of Sofia, 29 Panayot Volov Street., floor 3.
- by calling at telephone 0700 200 27
The exercise of rights shall be free of charge and shall cover all structured and unstructured data, as well as all databases supported by the Company.
Exceptions to the time period intended for satisfying the rights and the free of charge basis are allowed in cases of requests made by the same customer of data with a frequency greater than 3 times a year and requiring mobilization of a significant administrative resource on part of the Company. In this case, we may charge a reasonable fee with a view to the administrative costs incurred.
Where the data subject submits a request by electronic means, the information shall be provided, where possible, by electronic means, unless the data subject has not requested otherwise.
When the Company has reasonable concerns in relation to the identity of the natural person who makes a request for the exercise of their rights under this section, the directly responsible person shall immediately consult with the Data Protection Officer in view to the identification of the customer.
You should also consider that the withdrawal of consents provided does not affect the lawfulness of the processing of your personal data before such withdrawal. Despite the withdrawn consent, your personal data may be processed by the Company, if there are grounds for processing the data other than those referred to in Section 5.
You shall have the following rights:
a. Right to be informed
As a data subject, you shall have a right to obtain information on important features of the processing of your personal data, including, but not limited to its purpose, period and grounds, on the recipients and the categories of recipients of the personal data, etc.
In addition to the above information, you should consider that you are not a subject of automated decision making, but we carry out profiling when making checks in public registers, the National Revenue Agency, the Ministry of Interior, the Central Credit Register of the BNB, in order to assess the likelihood of collecting debts.
In accordance with the applicable personal data protection laws, you have the rights specified below, and we are obliged to respond to each of your requests within 1 month of receipt of the request and for no extra charge. In case of any difficulties for the timely fulfillment of such requests, the period may be extended by another 2 months, of which you will be notified within 1 month of receipt of the request.
b. Right of access
You may request information on what personal data concerning you we process, and whether we process such. You may request access to such data.
We will provide you with a statement of personal data that are being processed. For additional statements we may adopt a reasonable fee on the basis of administrative costs. When you submit a request through electronic means, we will provide the information, where possible, in a widely used electronic form unless you have requested otherwise.
c. Right to rectification
If we process incomplete or incorrect personal data concerning you, you have the right to have such data rectified and completed at any time.
d. Right to erasure
You may request to have your personal data erased in the following cases:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the processing is based and there is no other legitimate grounds for the processing;
- you consider that the personal data have been unlawfully processed.
Note that there may be other reasons that can thwart the immediate erasure of your data, such as statutory obligations for storage, pending proceedings, the establishment, exercise or defence of legal claims, etc.
e. Right to restriction of processing
You have the right to obtain restriction of processing, if:
- you contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful, but you do not want the personal data to be erased and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims
- you have objected to processing pending the verification whether the legitimate grounds of Аgency for control of outstanding debts JSC for processing of the data override your grounds.
If you request restriction of processing, we will inform you prior to revoking the restriction of processing.
f. Right to data portability
You may request from us to provide you with the personal data concerning you that we process in a structured, commonly used and machine-readable format and which can be transmitted to another financial institution for example. This shall apply, provided that
- the processing of the particular data is based on your consent or is in relation to conclusion and performance of a money loan contract; and
- the processing is carried out by automated means.
g. Right to object
You have the right, at any time and on grounds relating to your particular situation, to object to processing of your personal data, which is based on legitimate interest necessary for the performance of a task of public interest, the exercise of official powers, if such are provided to Аgency for Control of Outstanding Debts JSC, including profiling based on such grounds.
h. Right to lodge a complaint
Any requests and additional explanations and information related to the exercise of your rights may be directly submitted to the Аgency for Control of Outstanding Debts JSC by contacting the Data Protection Officer referred to in Section 4 above.
Statement for Protection, Confidentiality and Privacy of Personal Data of Job Candidates (in accordance with GDPR)
Standard Forms of Requests and Notices in Accordance with Data Subjects Rights
AGENCY FOR CONTROL OF OUTSTANDING DEBTS JSC with UIC 202527341, having its seat and registered office located at 29 Panayot Volov Street, Floor 3, Oborishte District, 1527 Sofia (the Company), is a financial institution registered under No. BGR00349 in the Register of Financial Institutions maintained by the Bulgarian National Bank under Article 3a of the Credit Institutions Act (CIA), by Order BNB-72794/ 03.08.2015 of the Deputy Governor of the BNB, in charge of the Banking Supervision Department, whose principal activities are acquisition of receivables on loans and other forms of financing (factoring) under Article 2, Paragraph 2, Item 12 of the CIA. The Company develops its activities only in the field of collection of outstanding debts of other financial institutions.
Considering the registration of the Company as a financial institution, the same is an obliged entity within the meaning of Article 4, Item 3 of the Measures against Money Laundering Act.
The Internal Rules and the Risk Assessment adopted by the Company establish standards observed by the Company for the purposes of anti-money laundering and counter terrorist financing.
The Internal Rules for the Prevention and Implementation of Measures against Money Laundering and Terrorist Financing and the Company’s Risk Assessment are aligned with published results of the National Risk Assessment for 2020.
Internal rules and procedures introduce adequate, reliable and legally compliant measures for customer identification, collection of information, criteria for identifying suspicious customers and transactions, procedures for transfer and exchange of information, and all other standards, rules, programs and procedures in accordance with the regulatory requirements within the EU and the Republic of Bulgaria.
The main goal and understanding set forth in the Internal Rules of the Company is to achieve the maximum level of compliance of the business activities with applicable legislation and good practices in the field of prevention of money laundering, which is one of the pillars for maintaining and enhancing the good commercial reputation of the Company inside and outside the EU.
As part of the measures against money laundering, the Company is obliged to investigate the origin of the funds with which customers repay debts and make payments to the Company. Information is collected by asking questions about existence of income, including income originating from employment and business legal relationship, benefits of a permanent nature, inherited funds, etc.;
In view of that Company’s obligation, customers are required to fill in and send a Declaration of Origin of Funds within the meaning of Article 66 of the MMLA and with previously approved requisites under Appendix No. 4 to Article 47, Paragraph 1 of the Regulations for the Implementation of the Measures against Money Laundering Act, in the form set out below.
Please fill in the blanks of the form below with the information relevant to your case, bearing in mind that the data declared by you are protected and cannot be disclosed to third parties, except to those public bodies authorized under the Measures against Money Laundering Measures Act and Regulations for its Implementation within their powers established by a law (MMLA, MFTA, SANSA and FSCA).