This policy is applicable, if the Client uses, have used or plans to use services provided by BPM, including relationships with the Client that were established before the entry into force of this Policy.
1. TERMS USED IN THIS POLICY:
1.1 Client – any natural person, who uses, have used or plans to use services provided by BPM.
1.2 Processing – any activities that are carried out with personal data (including collection, registration, storage, change, granting of access, request, transfer, etc.).
2. GENERAL PROVISIONS
2.1. This policy includes a description of general principles of data processing by BPM. Particular information on personal data processing may be included in the agreements that may be concluded or have already been concluded between the Client and BPM, as well as reflected on the homepage www.BPMwallet.io;
2.2. BPM guarantees non-disclosure and security of personal data by technical and organisational measures, ensuring physical and environmental security of Personal data, restricting the right of access to Client’s Personal data, transmitting Client’s personal data in encrypted form, ensuring protection of computer network and personal devices, data backup and other protection measures, therefore ensuring Clients’ Personal data protection against illegal access, use or disclosure.
2.3. Within the framework of Personal data processing by BPM, the access to Clients’ Personal data is granted only to authorised BPM employees and employees of cooperation partners, who uses data for operational needs and process Clients Personal data, complying with the technical and organisational requirements of Personal data processing provided by the legislation. Service providers (data processors), authorised by BPM to carry out Clients’ Personal data processing, before the start of cooperation are thoroughly assessed and informed on a set of security measures they need to take in order to ensure Clients’ Personal data processing, confidentiality and protection as required by the legislation.
2.4. In order to ensure qualitative and immediate implementation of obligations of the agreement concluded with the Client, BPM can authorise its cooperation partners to carry out specific tasks or ensure service provision. If, by fulfilling these tasks, cooperation partners process Clients’ Personal data available to BPM, cooperation partners concerned are considered data processors, and BPM is entitled to transfer as much of the Clients’ Personal data to cooperation partners that is required for the performance of such activities. BPM cooperation partners are obliged to ensure compliance with the requirements of Clients’ Personal data processing and protection in accordance with a procedure prescribed by law, and not to use Clients’ Personal data for other purposes.
3. CATEGORIES OF PERSONAL DATA
3.1. Categories of personal data, which are primarily but not exclusively collected and processed by BPM are as follows:
3.1.1. Identification data, such as, name and surname, personal identity number, date of birth, information of identification document, a copy of identification document, photo, etc.;
3.1.2. Contact information, for instance, phone number, email address and residential address;
3.1.3. Professional data, for instance, education, workplace, profession, position, job experience, etc.;
3.1.4. Financial information, for instance, income and proof of income documents, financial liabilities, bank or payment institution’s account number, investment purposes and experience, etc.;
3.1.5. Data that allows BPM to carry out client research activities in relation to prevention of money laundering and financing terrorism, compliance with sanctions requirements, including information on economic activity, cash flows, publicly available information, transaction reasons and whether the Client is a politically exposed person, information obtained from inspections of the list of sanctions, etc.;
3.1.6. Data on the Client’s tax residence, for instance, data on the country of residence, tax identification number, citizenship;
3.1.7. Communication data – are collected when the client contacts BPM, via phone conversation, using visual and/or audio recordings, emails, messages and other forms of communications, for instance, social media, data related to the Client’s visit session on the homepage www.Bpmwallet.io or communication, using other communication channels provided by BPM (for instance, online chat);
3.1.8. Information related to the Client’s participation in BPM competitions, campaigns and promotions – information related to the competitions, lotteries, prize draws, campaigns and promotions, including announcement of winners and awarding prizes to winners, assigning and using unique codes, etc.;
4. PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
Before Personal data processing, BPM always assesses purposes for which the Client’s data will need to be processed in advance. BPM carries out Personal data processing for at least one of the following purposes:
4.1. In order to manage clients’ relationships in general, ensure and manage access to financial services offered by BPM, including, to inform and explain about BPM online or mobile services etc.
4.2. In order to protect Client’s, third person’s and/or BPM interests and check the quality of services provided by BPM, to prove a commercial transaction or other commercial communication (registered conversations), based on the performance of the agreement or at the Client’s request, take measures before concluding the agreement, or for the fulfilment of lawful duties of the Client or BPM, or for the protection of legitimate interests of BPM, in order to prevent, restrict and investigate abuse or illegal use of financial services of BPM or disruptions in service quality insurance; within the framework of money laundering and terrorist financing prevention, to verify the data on the Client in publicly available sources of information; to assess Client’s conformity and suitability for the services offered by BPM.
4.3. In order to provide additional services, conduct client surveys, market analyses and statistics, as well as to offer BPM service to clients or carefully selected cooperation partners, and create personalised offers based on the Client’s consent.
4.4. In order to organise actions and campaigns for the Client based on the legitimate interests of BPM, improve BPM services, improve Client’s user experience, develop and test new products and services;
4.5. To carry out marketing activities for clients’ attraction, in order to, based on the Client’s provided consent, provide offers of financial services, including receipt of personalised offers and other notifications; in order to identify potential client and client groups, carry out their assessment and research.
4.6. In order to comply with a legal obligations and identity verification. To comply with the applicable law, for instance, to identify the client, to prevent, detect, investigate and report on possible money laundering, terrorist financing, if the Client is subject to financial sanctions or is a politically exposed person, inform the Client on changes in Personal data processing, process requests and complaints received from Clients; to comply with the requests of state/investigation and other law enforcement authorities, authorised bailiffs and other public authorities and persons designated by law; to carry out risk management.
4.7. In order to prevent improper use of services and provide appropriate services. In order to ensure and control assess to digital channels and their activities, prevent unauthorised access and misuse, and ensure security of information, based on the fulfilment of the arrangement or to take measures based on the Client’s request before the agreement conclusion. In order to improve technical systems, IT infrastructure, customise the display of the service on devices and develop services provided by BPM and IT infrastructure.
4.8. In order to process incoming and outgoing payments.
5. CLIENTS’ PERSONAL DATA COLLECTION
BPM obtains the Client’s Personal data:
5.1. when the Client provides them:
5.1.2. applying for BPM services; 5.1.3. contacting BPM via mail, email, phone, online chat.
5.2. when the Client uses BPM services:
5.2.1. providing information about payments or submitting orders;
5.2.2. visiting BPM homepage and using mobile application, including, Client’s profile data, as well as data on the service use habits;
5.3. when third persons provide them:
5.3.1. BPM cooperation partners, who provide information to the Client about BPM, conduct market survey;
5.3.2. providing services within loyalty programmes and partner programmes;
5.3.3. cooperation partners companies;
5.3.4. database providers, registers, provided for under the law;
5.3.5. public and law enforcement authorities, and their officials.
6. RECIPIENTS OF PERSONAL DATA
In certain cases, BPM may transfer Client’s Personal data to other data recipients. BPM will not transfer more Personal data that it is required for a certain Processing purpose. Recipients can process Personal data as data processors and/or data controllers. When the recipient processes Client’s Personal data for himself as a data controller, the recipient is responsible for the provision of information to data subjects on the Processing of such Personal data. In this case BPM recommends the Client to contact this recipient in order to receive information on the Personal data processing carried out by the recipient. Personal data can be shared with other recipients for BPM service provision, for instance:
6.1. Supervisory authorities (Consumer Centre, Data Protection Agency and other authorities), on the basis of requests submitted in writing or BPM obligations imposed by the law.
6.2. BPM related companies – business partners;
6.3. Credit and financial institutions, in order to process incoming and outgoing payments; 6.4. Legal and financial consultants or any other processor, authorised by BPM;
6.5. Third party keeping the register (for instance, Population Register, Commercial Register or other register, which contains Personal data);
6.6. Other persons, related to BPM service provision, for instance, Client’s identification providers, mobile application or homepage development providers; postal service providers or analytical service providers.
6.7. In certain cases, for execution of requests, competent national authorities, such as, Financial Intelligence Department, court, investigation authorities, Prosecution Office, bodies performing operational activities, Anti-Fraud Office, State Revenue Service, and other persons specified in the legislation, for instance, sworn enforcement officers, notaries;
6.8. In cases laid down in the legislation, public and law enforcement authorities, investigation authorities, courts, sworn enforcement officers, sworn notaries.
7. AUTOMATED DECISION-MAKING AND PROFILING
7.1. When initiating cooperation or providing services to the Client, with an aim to reduce the number of human errors and speed up the process, BPM makes automated individual decisions, providing remote identification services, for instance, verifying information included in the identification document, ensuring human control of operations carried out.
7.2. Within the framework of automated individual decision-making, profiling may be carried out in the form of Personal data processing, in order to assess and predict Clients’ economic situation, personal preferences, interests, reliability, behaviour. Profiling applies to automated Personal data Processing, is used to assess client’s certain personal characteristics.
7.3. BPM may use automated systems, for instance, for payment control, Clients research, identification of unusual and suspicious transactions, sanctions risk management in accordance with the effective Latvian legislation, ensuring human control of operations carried out.
7.4. BPM may use automated systems for Personal data processing or profiling to improve the experience of digital service users. Unless direct marketing is not limited by any Client’s wishes, BPM can process personal data in order to provide customised and personalised BPM services offers.
7.5. BPM always ensures the Clients with the opportunity to make their choices freely and use user-friendly tools to manage their confidentiality settings.
7.6. BPM can also aggregate statistical data about the Client, for instance, typical behaviour and lifestyle patterns, based on demographical and household information. Statistical data for segment profile creation may be collected from external sources and combined with BPM internal data.
7.7. If the Client receives a decision that is based on an automated decision-making, including profiling, the Client has the following rights:
7.7.1. to receive a proper explanation of the grounds for the decision made;
7.7.2. to refer to an employee, in order to ascertain the correctness of the assessment of the decision assessment; 7.7.3. to express his opinion. 7.8. In order to exercise the above mentioned rights, the Client shall contact BPM.
8. GEOGRAPHIC DATA PROCESSING
8.1. As a general principle, it has been specified that Personal data are processed in the European Union/European Economic Area (EU/EEA).
8.2. Taking into consideration global nature of financial services and technological solution, in order to ensure Clients’ Personal data processing for the purposes stated herein, for the provision of specific services, the Client’s Personal data may be transferred for Processing to the Personal data recipient located outside the territory of the European Union and the European Economic Area, for instance, if the provision of services is ensured by a cooperation partner (processor, separate controller, joint controller). Any such international transfer of Personal data is carried out in compliance with the requirements of the Regulation and, in these cases, we ensure Personal data Processing procedures laid down by law and protection level, equivalent to that laid down in the Regulation.
9. DATA STORAGE PERIOD
9.1. The period of BPM Clients’ Personal data storage depends on the purposes of data processing and assessment criteria for Clients’ Personal data storage period. Despite the variable factors, Personal data are not processed longer than necessary.
9.2. Data storage period can be based on an agreement with the Client, BPM legitimate interests or applicable laws (for instance, laws related to provision of credit for consumption, accounting, money laundering, human rights, etc.). If, during the assessment, BPM determines different justified Client’s Personal data storage periods, for instance, if the period specified for the protection of BPM interests differs from the storage period specified by the laws and regulations, it will be a sufficient basis for Client’s Personal data storage for a longer period.
10. RIGHTS OF THE CLIENT AS A DATA SUBJECT
10.1. The Client (data subject) has the right regarding his data Processing, which, according to the applicable laws, is classified as Personal data. These rights are usually as follows:
10.2. To request that his Personal data are modified, if they are insufficient, incomplete or incorrect.
10.3. To disagree with Personal data processing, if Personal data use is based on legitimate interests, including profiling for the purposes of direct marketing (for instance, receipt of marketing offer or participation in surveys).
10.4. To ask for deletion of those Personal data that are, for instance, processed on the basis of consent, if the Client has withdrawn his consent. BPM ensures deletion of Client’s Personal data available to BPM, as well as deletion of such data available to cooperation partners, if Personal data will no longer be necessary for purposes, for which they are processed by BPM. Such rights are not applicable, if Personal data requested to be deleted, are processed based on other legal reasons, for instance, an agreement or obligations arising out of applicable legal enactments, for instance, ensuring periods for information or document storage.
10.5. To restrict Personal data processing in accordance with the applicable legal enactments, when BPM assesses whether the Client has the rights to delete his data.
10.6. To receive information on whether his Personal data are processes by BPM, and, if so, to ask to ensure access to the data, receiving from BPM.
10.7. a confirmation or rejection of whether BPM processes Client’s Personal data;
10.8. Information on the Clients’ Personal data, processed by BPM;
10.9. Additional information on the Clients’ Personal data processing, in order to ascertain accuracy of Personal data, and whether BPM processes Client’s Personal data in accordance with the legal requirements. In certain cases, BPM may ask the Client to specify the scope of his request, for the Client to provide specific indication, for what information and to which Processing activities the request applies, as well as to ask to explain the reason for the request. In cases when the law does not permit it, BPM cannot provide information to the Client on the Personal data processing, for instance, within the framework of the requirements of the law on Anti-money laundering and countering terrorism financing, BPM is prohibited to inform the Client about the information provision to the Financial Intelligence Department, as well as, whether the information is provided to law enforcement authorities, prosecutor’s office, court.
10.10. To receive the provided Personal data and, if required, to send such data to other service provider (data portability). Considering that the information subject to the Client’s Personal data portability can contain third party information as well, BPM, prior to data transmission, will carry out impact assessment of such Personal data transfer regarding the rights and freedoms of third parties.
10.11. To withdraw the consent for Personal data processing, for instance, by changing Client’s profile settings at BPM homepage or in mobile application.
10.12. To withdraw from a fully automated decision-making regarding the object, including profiling, if such decision making has legal consequences or significantly affects the Client. These rights are not applicable, if decision-making is required for conclusion or execution of agreement with the Client, if decision-making is permitted in accordance with the applicable legal enactments or if the Client has provided his explicit consent.
11. CONTACT INFORMATION
11.1. Clients can refer to BPM with any proposals, withdrawal of consent, requests, using data subject rights and claims concerning Personal data use.
11.2. In all matters concerning Clients’ Personal data processing, the Client can refer to BPM, contacting BPM.
11.3. BPM contact information is available at BPM website www.BPMwallet.io.
11.4. BPM is entitles to unilaterally amend this Policy at any time in accordance with the applicable legal enactments, notifying the Client on any amendments, through BPM website, not later than one month before the amendments enter into force.
INFORMATION ON SEPARATE DATA PROCESSING FOR RECEIPT OF NOTIFICATIONS AND OFFERS
BPM processes Client’s Personal data for the purposes of sending notifications and offers, including personalised offers, only if the Client has provided his Consent. According to the Consent provided by the Client, BPM will send the Client:
- up-to-date information about services provided by BPM, for instance, personalised offers within the framework of clients’ loyalty programmes, etc.; other notifications related to:
- opportunities to participate in the organised actions, campaigns and other activities for customers;
- greetings on the Client’s birthday, name day, and other holidays (for instance National holidays, Easter, Christmas, and other celebrations);
BPM provided commentaries on the topical issues in global economy;
- opportunities to express your opinion on BPM provided services and their quality, participating in the organised customer surveys;
- social responsibility and support projects;
- BPM performance, awards, special provisions. BPM as a controller of Clients’ Personal data, on the basis of the Client’s provided Consent for receipt of notifications and offers, will process the following Client Personal data sets:
- Client’s identification data – name, surname, personal identity number and/or date of birth, client number;
- Client’s contact information – phone number, email address;
- Client’s personal data related to the Client’s behaviour – the types of BPM services used and their usage patterns, for the preparation of personalised notifications. Sending of notifications and offers will be carried out by BPM or its designated cooperation partner (processor), on the basis of Client’s consent, processing such Client’s personal data – name, surname, contact information (phone number, email address). BPM will thoroughly assess its cooperation partners before assigning Clients’ Personal data processing. BPM will process Client’s Personal data until the end of validity of:
- Client’s Consent;
- activities and offers, for which the Customer has given Consent. BPM stores Client’s provided Consent in accordance with the storage period prescribed by the law. Consent to the Clients’ Personal data processing for receipt of notifications and offers can be withdrawn by the Client at any time in the following ways: by email;
- on the homepage in the Client’s profile, in mobile application; via phone.
- Withdrawal of consent will not affect the lawfulness of Clients’ Personal data processing before the withdrawal of Consent.
- Client’s Personal data collector sending notifications and offers, including personalised offers, as well as carrying Client identification, is BPM. In all matters concerning Clients’ Personal data processing, the Client can refer to BPM. All the information will be handed over to the employee in charge, who will provide a response to the Client’s request. In accordance with the law, BPM ensures the Client with rights, upon submitting a written request, to access his Personal data, amend or delete them, restrict their Processing, object to their Processing, as well as to transfer them. In case of violation of the customer’s privacy, the Client is entitled, for protection of his interests laid down by the law, to submit a complaint to BPM, Data Protection Agency or bring an action before the court.