INFORMATION
REGARDING THE PROCESSING OF PERSONAL DATA
(according to Art. 13 and Art. 14 of Regulation (EU) 2016/769)
As a personal data controller, MyFin EAD ("MyFin" or "the Company") strictly adheres to the legal and regulatory provisions regarding the collection and processing of personal data. Customer satisfaction in all its aspects is a priority for us, especially when it comes to your data. Therefore, we consider our duty to exercise due diligence in the processing of your personal data and to take all possible measures for their protection from unlawful actions.
We hereby inform you of the processing of your personal data, of the rights you have in relation to data protection, and provide you with the information under Art. 13 and Art. 14 of Regulation (EU) 2016/679 of the EP and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR).
The content and scope of the data processed are in line with the type of products and services you wish to use, or are already using. MyFin EAD holds a license to operate as an electronic money institution and provide payment services, issued by Decision No. 71 of 27.02.2020 of the Governing Council of the Bulgarian National Bank which supervises its activity, and is duly entered in the public register of electronic money companies, maintained on the website of the Bulgarian National Bank at www.bnb.bg, respectively in the Register of payment and electronic money institutions maintained on the website of the European Banking Authority (EBA) at https://euclid.eba.europa.eu/register/.
INFORMATION ABOUT THE PERSONAL DATA CONTROLLER AND CONTACT DETAILS
Controller – MyFin EAD, UIC 206066023
Headquarters and registered office:
37, Dragan Tsankov Blvd. 1797 Sofia Phone: 0700 16 429 BIC/ SWIFT: MYFNBGSF
Website: www.myfin.bg
Data Protection Officer of MyFin EAD:
Jivka Pushkarova
First Investment Bank AD
81G Bulgaria Blvd.
1404 Sofia
E-mail: dpo@myfin.bg
FOR WHAT PURPOSE AND ON WHAT GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
FOR WHAT PURPOSE AND ON WHAT GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
The Company processes your personal data on the following legal grounds:
(In certain cases, processing may be based on more than one grounds)
A. Performance of a contract
In the performance of an existing contract between you and the Company, as well as in taking pre-contractual steps. Processing is done so that we may provide you with the product or service you have applied for, as well as for their use during the term of the contract. This includes:
• Performing transactions, provision of the requested products and services;
• Performing analyzes;
• Notifications on the performance;
• Notifications on important changes in the transactions or terms of use of the product/service.
B. Legal obligation
Compliance with our legal obligations such as:
• identifying you, as well as verifying your identification in accordance with the Law on Measures against Money Laundering;
• performing automatic exchange of financial information under the Tax and Social Insurance Procedure Code;
• providing information to state bodies and institutions such as BNB, NSSI, NRA, courts, prosecution, SANS and others, in compliance with the relevant legal procedures;
• performing creditworthiness assessment, and risk assessment and management in the Company.
As a credit institution, we comply with a number of regulations that, in addition to the above, include laws such as the Law on Credit Institutions, the Markets in Financial Instruments Act, the Law on Consumer Credit, the Law on Consumer Real Estate Loans, the Payment Services and Payment Systems Act, the Law on Measures Against the Financing of Terrorism, the Law on Obligations and Contracts, the Civil Procedure Code, the tax and accounting legislation, as well as the regulations related to the supervision of the activity, e.g. by the BNB and FSC.
C. Legitimate interest
We process your personal data for the purposes of the legitimate interests pursued by the Company or by a third party, for example in cases such as:
• review and optimization of analytical needs and procedures for direct customer access – e.g. testing the achieved goals and ways to improve products in line with customer requirements, improving customer service;
• market research, advertising and polls conducted when you have not objected to the use of your data;
• video surveillance to collect evidence of criminal acts, or to provide proof of transactions (for example ATM transactions) and to protect clients and employees;
• phone records (e.g. of alerts, notifications of lost payment instruments, provision of information, contact center inquiries);
• sending communications about the products and services used through SMS, letters, emails, telephone calls and others, not related to marketing purposes;
• measures related to business management, improvement of services and products and customer retention;
• measures to protect employees, clients and the property of the Company (such as the Company's access regime);
• prevention and investigation of fraud and criminal acts;
• ensuring the IT security and IT operations of the Company;
• complaints and claims, disputes, including in court proceedings;
Risk Management in MyFin EAD (e.g. management of operational risk in carrying out transactions, credit risk in determining total exposures, etc.).
D. Task carried out in the public interest
In case we carry out tasks in the public interest or in the exercise of official authority vested in the controller. In such situations, the Company may assist a public authority by sharing personal data for the purpose of preventing or detecting a criminal offence.
E.Your consent
In cases where we process your data based on your consent, processing shall be within the scope and for the purposes set forth in your consent. Any given consent may be revoked at any time under the terms of the document Procedure for the exercise of rights related to personal data (Appendix 1).
Examples for processing of personal data after your consent include the processing of biometric data (facial characteristics) in case of video identification as well as in case of processing of data from your Contacts list (stated below). Data from Contacts list (list of contacts and telephone numbers), e-mail address are processed with purpose to open, administrate and start the MyFin application as well as for performing internal transfers through secondary identifier (Peer to Peer or mobile number to IBAN) and receiving of notifications for transactions.We will collect your Contacts\phone numbers and send them to our servers to check if they are linked with the IBANs of other MyFin customers.This is required to enable payments to phone number,e.g transfers through secondary identifier(mobile number to IBAN). Your Contacts will not be stored at our servers
WHAT PERSONAL DATA DO WE PROCESS?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The information we process depends on the product/service that you use or apply for.
General information we process for all products/services – personal information (e.g. names, address, date and place of birth, nationality, EGN, email address, phone number); identity verification data (e.g. signature specimen); identity document details (such as ID card number);
Depending on the type of product or the way of registering we process data on existing contractual obligations (such as financial information, bank account numbers); information about your financial status (e.g. data on your creditworthiness, scoring or rating, etc.); marketing data (advertising, sales); documented data (e.g. consultation records); recorded data, image and voice data (e.g. video or phone records); biometric data (for example in case of video identification); information from your electronic communication with the Company (e.g. cookies); data from your Contacts list in case you consent (names, telephone numbers, profile picture, profile name); results generated by the Company as a result of processing; data on compliance with regulatory requirements.
For users of credit products, additional information may be found in Appendix 2.
For users of payment services, additional information may be found in Appendix 3.
For users of investment services, additional information may be found in Appendix 4.
The Company uses automated decision making, including profiling in accordance with the requirements of Art. 22 of the GDPR to give you the best possible service. Evaluation of personal aspects is done to inform you about certain products and services. It is possible that, when considering applications for certain credit products, decisions are partially taken without human intervention on the basis of predetermined criteria for assessing creditworthiness.
Profiling is also done in implementation of mandatory regulatory provisions, such as the legislation on measures against money laundering, terrorist financing, investment services and activities.
SOURCES OF INFORMATION
We collect the data we process directly from you, when you apply for a particular product or service online, as well as in the course of our relationship. In cases where the personal data are provided by a representative, such representative must inform and provide to the person represented this document.
We also process information we have legally and legitimately obtained from institutional registers such as the Central Credit Register (BNB), the Register of Bank Accounts and Safe Deposit Boxes (BNB), the NSSI, the Chamber of Private Enforcement Agents, Register of Bulgarian Personal documents (MI), from publicly available sources such as the registers of the Registry Agency, from the media, or from officially published lists of persons to whom sanctions apply.
WHO MAY HAVE ACCESS TO YOUR DATA?
Within MyFin EAD, your data is received by those employees who need access to it for the performance of a contract, for obligations and regulatory provisions, or for the protection of legitimate interests.
Service providers, agents, contractors and subcontractors with whom we work and who have undertaken obligations and are responsible for the processing of personal data under current legislation, may also obtain the data, for example: companies operating in the field of banking services, IT services, authentication services (providing identification processes, e.g. video identification), logistics, insurance companies, telecommunications, photocopying, debt collection, consultancy, sales and marketing, including companies from the Group of First Investment Bank AD for risk management purposes; correspondent banks, depositaries, exchanges, payment system operators, information desks, depending on the services we provide to you
.
The Company also provides client personal data to third parties in compliance with legal obligations applicable to credit institutions, or for the purposes of measures against money laundering and terrorist financing, the automatic exchange of financial information, the prevention and investigation of fraud related to banking activity, as well as when necessary for the provision of a specific service.
Based on your explicit consent with purpose to execute payment via secondary identifier (Peer to Peer), the data from your Contacts list on your mobile phone, stated above, can be seen by other users of MyFin EAD who at the same time are in your Contacts list. You consent and authorize MyFin EAD to access the Contacts list on your mobile device also for the purpose of indicating the mobile phone numbers of other users of the service.
STORAGE PERIOD OF YOUR PERSONAL DATA
MyFin EAD stores your personal data in compliance with the statutory provisions and protecting the legitimate interests of the Company, the retention period depending on the type of documents and services used. For example, in the case of a general 5-year period, the Accountancy Act requires that data from accounting registers, including tax audit documents subject to subsequent financial inspections, are stored for 10 years. Retention periods may be extended further, for example in the case of litigation, extension of the limitation period due to interruption, as well as in the implementation of legal provisions and requirements of supervisory authorities.
HOW TO EXERCISE YOUR RIGHTS CONCERNING THE PROTECTION OF YOUR PERSONAL DATA?
For submission of request/statements regarding the processing of your personal data, please refer to the document Procedure for the exercise of rights related to personal data“ (Appendix 1).
ARE YOU OBLIGED TO PROVIDE US YOUR PERSONAL DATA?
Within our business relationship, you are obliged to provide the personal data required for the initiation, performance and termination of your relationship with the Company, as well as for ensuring compliance with the applicable contractual obligations or legal requirements.
In the event you do not provide the necessary data and documents, we shall not be able to enter into contractual relationship with you, or continue such relationship.
