Processing of personal data by UniCredit Leasing EAD
Data controller details
UniCredit Leasing EAD, UIC: 121887948 (The Company), registered seat and management address: 14, Gyeshevo Street, Sofia, is a controller of personal data and processes your personal data lawfully, in good faith and in a transparent fashion.
Data Protection Officer
The Data Protection Officer of The Company is Mr. Anton Todorov. Contact details:
7, Sveta Nedelya Sq., 1000, Sofia, Bulgaria
Purposes for the processing of personal data
The Company is a financial institution registered in the register of Bulgarian National Bank under No. BGR00192. In order to provide you with a quality service The Company processes information that constitutes personal data for the following purposes:
- Perform lease services and all additional activities that support the leasing business as well as granting of credits with funds which have not been raised of deposits or other repayable funds from the public. The Company processes personal data when:
- Receiving preliminary information necessary for entering into a leasing, financing or other agreement.
- Performing consultation operations for its customers
- Performing operations for a specific operation or a transaction, economic movement and/or change in balance with an immediate or deferred enforcement (e.g. issuing of invoices and other accounting documents to clients)
- Carrying out audits, evaluations of results and tendencies of relations with the clients as well as the risks related to them
- There is willingness on the part of a customer and in the cases when special categories of personal data are processed for specific services/transactions, requested by customers
- In case of resolution of disputes before a competent body (regulatory authority, court, arbitration court, conciliation commission, etc.) in regard with the Company’s activity
- Assessing your creditworthiness, including through profiling so that it can offer you a quality service. During profiling, information about financial indicators, consumer behavior and habits is analysed with the aim of offering a specific product and/or service
- Assessing the reliability and timeliness of payments in granting funds (as leasing or loan)
- Promoting and selling products and services, including through preliminary profiling. During profiling, information about preferences, habits, consumer choices is analyzed in order to improve customer service quality and offer new products and services
- When customer satisfaction surveys are conducted by the Company and the companies within UniCredit Group with the purpose of marketing and market research. This is achieved through interviews, questionnaires and other information research channels
- Selecting outsourcing service providers for the Company. During the selection process for a provider, information, which constitutes personal data, is processed in accordance with Regulation (EU) 2016/679 about personal data protection
- Managing the Company’s relations with outsourcing service providers. Personal data of the provider’s representative or of the provider itself is processed in negotiating and administrating agreements, in cases of court or tax investigations as well as in commercial and legal disputes
- Managing anti-fraud activities. The Company process personal data when it carries out activities related to fraud prevention, discovery, investigation and management
- Providing security for areas and facilities and ensuring access control. Processing information constituting personal data obtained from surveillance systems; while carrying out Company operations at offices of the Company as well as while managing and controlling visitor flows at entrances and exits, protected by an electronic control systems
- Processing complaints and other received client requests
- Protecting data, information, application, system and network security
Grounds for Personal Data Processing
The Company processes your personal data pursuant to art. 6, para.1, letter “b” from Regulation (EU) 2016/679 when “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”; In the cases when you take steps to enter into an agreement with the Company and/or sign an agreement with the Company it is necessary to give information which constitutes personal data so that the Company can take the necessary steps to provide you with the product or service that you would like to receive as part of the agreement. If you do not provide your personal data, it would be impossible for the controller to provide you with the requested services, taking steps before entering into an agreement.
Pursuant to art. 6, para. 1, letter “c” of Regulation (EU) 2016/679, the Company processes personal data in order to comply with legal obligations in its capacity as controller under the Credit Institutions Act, the Consumer Credit Act, Consumer Protection Act, the Measures against Money Laundering Act, the Measures Against the Financing of Terrorism Act, the Obligations and Contracts Act, Commercial Act, Insurance Code, the Civil Procedure Code, any other applicable laws and regulations, regulating the Company’s activity as well as the country’s existing financial, tax and accounting legislation in the country.
Your personal data is processed pursuant to art. 6, para 1, letter “f” of Regulation (EU) 2016/679 for the purposes of the legitimate interests of the Company in cases when the following is performed:
- Anti-fraud actions
- Security and access control
- Audio and video surveillance, audio and video recording for the purposes of security, access control, anti-fraud actions, documenting communicatio
- Upon providing data to third parties: When legal or contractual obligations of the controller are fulfilled or on the basis of other valid legal grounds
- With regard to entities related to the Company, the companies within UniCredit Group for the purposes of following and implementing group policies, reporting, audit activities, credit risk evaluation
- Assessment and improvement of the customer service provided by the Company and the companies within UniCredit Group as well as for the purposes of marketing and market research and analysis
When the processing of your personal data for specific purposes is based on the legitimate interests of the Company, including profiling, you can object to processing for specific purposes at any time.
Categories of personal data recipients
In accordance with the requirements of Regulation (EU) 2016/679 the Company has the right to disclose personal data which it processes to the following categories of recipients:
- Public authorities, institutions, establishments and auditors in cases when the Company has a legal obligation to provide the data. Personal data can be provided with the purpose of receiving preliminary information necessary for entering into an agreement and/or its performance.
- Third parties, individuals, legal entities, public authorities, institutions, establishments, upon fulfillment of legal or contractual obligations or other valid legal grounds.
- Subcontractors of the Company, in their capacity as processors. Processors carry out processing in accordance with an agreement entered into with the Company or another legal act in accordance with the controller. The Company utilizes only those processors which provide sufficient guarantees for the implementation of appropriate technical and organizational measures in compliance with Regulation (EU) 2016/679.
- Entities related to the Company, including the companies within UniCredit Group, when personal data is processed for the purposes of the legitimate interests of the Company; upon implementation of group policies; to improve customer service quality within the companies of UniCredit Group.
- For making inquiries and receiving information from state authorities, institutions, establishments and registers (for example the National Social Security Institute, Central Credit Register, Civil Registration and Administrative Service, Experian Bulgaria EAD, etc.) in order to evaluate your creditworthiness or for the purpose of receiving other types of preliminary information necessary for entering into an agreement at the request of the individual.
- Upon entering into agreements by virtue of which the Company transfers (assigns) its receivables under lease or financing agreements to third parties in accordance with the requirements of effective legislation in the country.
Transfers of personal data to a third country or an international organization
If the necessity arises for the Company to transfer to third countries or international organizations with personal data which it has processed, the provisions of Regulation (EU) 2016/679 shall be complied with, including in the case of any possible transfer of personal data by the third country or international organization to another third country or organization.
The Company processes personal data within the terms stipulated in the effective legislation in the country and by regulatory supervisory authorities. After the expiry of legal/regulatory periods, the Company will erase your personal data. Personal data with regard to which there is no explicit legislative/supervisory obligation to be stored shall be erased after the purpose for which it was collected and processed has been achieved.
Exercising rights under Regulation (EU) 2016/679
In addition to the provided information the Company provides the following information regarding your rights as personal data subjects which you can exercise in compliance with the provisions of Regulation (EU) 2016/679:
The right to demand access from the controller to your personal data pursuant to art.15 of the Regulation.
The right to request from the controller rectification of the personal data concerning you pursuant to art.16 of the Regulation.
The right to request erasure of your personal data (‘right to be forgotten’) pursuant to art.17 of the Regulation in cases when:
- There are no legal or contractual grounds for such processing
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- The data subject withdraws consent in cases where personal data is processed only on the grounds that the data subject has given her/his explicit consent
- In other cases stipulated in Regulation (EU) 2016/679
The right to ask for restriction of processing pursuant to art. 18 of the Regulation.
The right to object to the processing of personal data pursuant to art. 21 of the Regulation when processing is based on legitimate interests, including profiling or when data is processed for the purposes of direct marketing which includes profiling.
The right to portability of personal data concerning you which you have provided to the controller under the provisions of art. 20 of the Regulation.
The right to lodge a complaint with the Commission for Personal Data Protection.
The Company provides you with an opportunity to exercise your rights under the Regulation in a clear and accessible way. For your convenience we provide to you a template of Request for Exercising Rights under Regulation (EU) 2016/679.
In case you would like to submit your request/application to the Company in free wording, it is necessary to give specific mandatory details in your request/application so that you can be identified in a timely and due fashion. With the purpose of your timely and due identification and in order to prevent any unlawful use of your personal data available in requests submitted by third parties acting in bad faith, we recommend that you use a specific set of details when submitting your request to the Company:
- Your full name
- Your Personal Number or Foreigner's Personal Number
- Date and place of birth (if you are not a citizen of the Republic of Bulgaria)
- The number of your ID card, date of issue, issuing body, expiry date
- Permanent address/mailing address if different from the permanent address
- Email address if you wish to receive a response on your email address
- Phone number if you would like us to contact you
- In what capacity would you like to exercise your rights under Regulation (EU) 2016/679, for example, a customer/former customer; provider; employee/former employee; legal representative/beneficiary owner/proxy/ legal entity related to the company, BULSTAT/ UIC/ foreign reg. number; in another capacity: person who has accepted the leasе facility as representative of the lessor, etc.
- Description of the request/application sent to the controller
- Preferred method of receiving a response from the controller: at the email address or mailing address you have included in your request; at a Company office convenient for you
If the details are not complete and/or false, we may be unable to satisfy part of/the whole of your request.
We are constantly striving to improve the way we service our customers. In this respect, with the purpose of greater transparency and awareness we provide you with the following options for submitting a request under Regulation (EU) 2016/679:
- At an office of the Company suitable for you
- Electronically: by e-mail VDM/HEQSAvojdsfejumfbtjoh/ch and letter signed in accordance with the Electronic Document and Electronic Certification Act
When you submit your request we recommend that you specify the means thereby you would like to receive the response to your request:
- At an office of the Company suitable for you
- Electronically: by e-mail
- At your permanent address or at the specified mailing address