Privacy and Data Protection Policy (GDPR)
The provision of your personal data is performed voluntarily and for the use of certain services, i.e. the use of the Web site and/or accessing it, as well as applying for a loan online. Please keep in mind that Lenno JSC shall not be able to provide you with the services you have asked for, i.e. a loan, etc., if you do not provide the necessary information. Please, also take in mind that in some particular cases your consent for the processing of personal data may not be required, if Lenno JSC has a different legal basis for processing your personal data, i.e. fulfillment of legal obligations.
WHO PROCESSES YOUR PERSONAL DATA AND WHO IS LIABLE FOR IT
Lenno JSC is a joint stock company, incorporated in accordance with the Bulgarian legislation and registered with the Commercial register and register of NPLE with UIC 203217465, registered as a financial institution with the Register under art. 3a, para. 1 of the Credit Institutions Act, having registered number BGR00341 kept by the Bulgarian National Bank, and Lenno JSC collects, processes and keeps your personal data as per the requirements described hereinafter. You can contact Lenno JSC at any of the following coordinates
Registered office at 2 Maria Luiza Blvd., 5th floor, 1000, municipal district of Oborishte, city of Sofia; Phone number: 0700 42 442; Email: info [at] lenno.com; Personal data officer’s coordinates: 2 Maria Luiza Blvd., 5th floor, 1000, municipal district of Oborishte, city of Sofia;Email: privacy [at] lenno.com;
CATEGORIES OF PERSONAL DATA, PROCESSED BY LENNO JSC
In the course of services provision Lenno JSC is entitled to process publicly available personal data and/or personal data known to Lenno JSC upon the exercise of its legal rights and obligations and/or personal data, provided by you. The general types of processed personal data are:
• Personal identification information: first name, middle name and surname, personal identification number, date of birth, place of birth, citizenship, sex, identification document number;
• Contact details: including domiciling address, address for correspondence, different from the domiciling address, your phone number or a number of a contact person, email address and others);
• Data on employment, occupation / position, work experience, education, previous employment, skills, qualifications and others;
• Marital status information (children not of age; spouse’s names and PIN);
• Financial information (bank accounts, sources and amount of income, usual expenses (i.e. rent, utility, property tax and other expenses);
• Data on real rights status (tangibles and real estate);
• Information about a representative (legal representative or a proxy) of a client;
• Data on indebtedness to natural or legal persons (such as names, PIN, etc.) and details of liabilities of the same (size, currency, repayment term, overdue, etc.);
• Data on collateral of liabilities (including foreign ones) to banks and other persons (type, secured receivable, debt arrears);
• Data on initiated enforcement proceedings and insolvency or liquidation procedures;
• Your health data;
In order to ensure a good-quality performance of the services and the obligations arising from the agreements thereof, Lenno JSC shall be entitled to process any information which publicly available or available in registers accessible to Lenno JSC in the capacity of financial institution.
SOURCES THROUGH WHICH LENNO JSC COLLECTS INFORMATION
• Online credit registration or credit application on the Web site;
• Documents provided for clients’ identification upon loan application;
• Documents provided for research of the client’s creditworthiness and properties, subject to collateral;
• Transactions related to the services provided by Lenno JSC;
• Online job application form;
• Email and chat communication, as well as telephone conversations incoming or outcoming from Lenno JSC;
• Visiting the Web site of Lenno JSC;
• Companies part of Lenno group in case services are provided jointly;
• Power of attorney to a representative of a client (if there is a representative elected or appointed);
• And all other sources, which help generate the legal minimum of information, which Lenno JSC is required to collect.
For the avoidance of doubt companies part of Lenno group means all companies part of the holding structure of Lenno JSC and Lenno Limited, a company registered in England and Wales under registration number 12008730, having registered office at 64 New Cavendish Street, London, United Kingdom, W1G 8TB.
PURPOSES AND LEGAL BASIS FOR PERSONAL DATA PROCESSING
Lenno JSC processes personal data for the following purposes:
1. Processing of personal data that is required for creditworthiness, signing and execution of agreements, or related to preparation of agreements’ documents, or upon job application:
• Creditworthiness and risk assessment upon loan agreement, collaterals assessment and other preparative actions for the purpose of concluding a loan agreement;
• Determination of loan parameters according to customer request and risk assessment;
• Providing specific parameters for a loan;
• Identifying a client upon: signing of a new or a amendment of an existing agreement; detailing of the services provided thereto; execution of an agreement;
• Preparation of contractual offers, sending pre-contractual information and contract draft;
• Data received from the client in the course of performaning contractual obligations, exercise of rights and assurance of performance of contracts;
• Up-to-date identification of users of the Web site as clients;
• Processing job application before Lenno Global Advisory JSC;
• Accepting and answering clients’ complaints and/or requests;
• Debt payments, rescheduling of due amounts; management of receivables collection;
• Sharing important information regarding changes herein and other relevant information;
2. For the execution of its legal duties, Lenno JSC processes your data for the following purposes:
• Issuing invoices;
• For performing tax-insurance control of the competent authorities and determining the tax in the tax area;
• Providing information to the Commission for Personal Data Protection in relation to the obligations laid down in the regulation for personal data protection – the General Data Protection Regulation (EU) 2016/679 from 27 April 2016, etc.;
• Obligations provided for in the Tax-Insurance Procedure Code and other related statutory instruments in relation to the keeping of proper and lawful accounting;
• Prevention of fraud, money laundering and terrorist financing.
3. Lenno JSC processes personal data obtained with the explicit consent of the client for the following purposes:
• Direct marketing of products and services.
4. The processing is required for the purposes of the legitimate interests of Lenno JSC:
• For the purpose of ensuring security and protection of Lenno JSC’s and its visitors’ and employees’ property, interests and safety, Lenno JSC maintains video surveillance equipment;
• Assessing the level of clients’ satisfaction, as well as the efficiency of the advertising target;
• Ensuring the quality of clients’ service (video recording and audio recording).
CATEGORIES OF THIRD PARTIES THAT MAY ACCESS AND PROCESS YOUR PERSONAL DATA
Lenno JSC does not disclose collected and stored nonpublic information and the client’s personal data before any unrelated third party or to related parties, unless it is permitted by the applicable law or with the explicit consent and permission of the client.
Depending on the product or service, as well as certain restrictions regarding confidential information, personal data of clients and information may be disclosed to:
1. Insurers with which Lenno JSC has a contract in its capacity of Insurance Intermediary;
2. Persons who are assigned by Lenno JSC to maintain the equipment and software used for the processing of your personal data;
3. Debt collection services providers, notary public persons, lawyers, bailiffs or any other third party provided that the client has non-performed a contractual obligation;
4. Banks servicing the payments made by and to you;
5. Persons to whom Lenno JSC has provided the execution of part of the activities or obligations associated with a specific service provided to you; personal data processors who, on the basis of a contract with Lenno JSC, process your personal data on behalf of Lenno JSC as well as other companies of the holding structure of Lenno in the course of provision of related services or activities;
6. Natural persons providing services related to contracts signing: notary public persons; lawyers; proxies;
7. Natural persons or legal entities providing consultancy services in different areas - lawyers, accountants, marketing agencies, etc.;
8. Courts and other competent authorities, institutions, and persons to whom Lenno JSC is obliged to provide personal data under current legislation;
9. Security companies holding a license to perform private security activities processing the video recordings on the territory of Lenno JSC offices and / or maintaining other registers in the course of ensuring the access regime in the same sites;
10. Companies part of Lenno group in case services are provided jointly;
11. Other third parties which provide services to the companies part of the group of Lenno.
HOW LONG DOES LENNO JSC KEEP YOUR PERSONAL DATA
The time period for keeping your personal data depends on the processing purposes for which they were collected:
1. Personal data processed for the purpose of concluding/amending and executing contracts between Lenno JSC and you or a company represented by you- within the contract period and as of the definitive settlement of all financial relations between the parties. Lenno JSC may keep part of your personal data for a longer period of time until the expiration of the applicable limitation period in order to be protected from any client’s claims regarding performance / termination of contracts as well as in case of a legal disputes that has been already arisen until its final settlement by a court / arbitration adjudication that has entered into force.
2. Personal data processed for the purpose of issuing accounting / financial documents for the implementation of tax and social security regulations including, but not limited to - invoices, debit notes, credit notes, handover protocols, contracts for provision of service/goods, shall be kept not less than 11 years as from expiry of the limitation period for extinguishment of the respective public claim, unless the applicable law provides for a longer period.
3. Personal data processed for the purpose of direct marketing - to the explicit withdrawal of the given direct marketing consent or receipt of an objection to the processing of personal data for the purpose of direct marketing.
4. Video surveillance data from security cameras - up to 100 days as from recording creation. Phone calls shall be kept for up to 5 years from the call.
5. Data received for the purpose of signing an insurance contract, including health condition data – for the term of the insurance contract.
6. Personal data processed for the purpose of preventing fraud and money laundering shall be kept for a period of 5 years after the final settlement of all financial relations between the parties under Art. 67 of the LMML.
7. Personal data processed for the purpose of analyzing and evaluating job applications shall be kept for a period of 1 year after application or until the consent is explicitly withdrawn by the applicant.
YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR PERSONAL DATA
1. General rights
You have the following rights described below, related to the processing of personal data, which you may exercise at any time while Lenno JSC keeps or processes your personal data by sending a request to the address of the Lenno JSC referred to above or electronically by e-mail: privacy [at] lenno.com.
Any client is entitled to access his/her personal data collected by Lenno JSC upon written request. Lenno JSC shall be obliged to grant access solely to the data concerning the respective client, where personal data of third persons may be disclosed in the course of exercising the rights described above. Upon exercising his/her right of access, any Lenno JSC client shall be entitled at any time to request:
• confirmation of whether his/her personal data are being processed, information for the purposes of such processing, categories of personal data, and recipients or categories of recipients to whom personal data are disclosed;
• to be notified in writing in a plain form and the notification shall contain his or her personal data that are being processed, as well as any available information about their source;
• information about the logic of any automated processing of personal data.
Any client shall be entitled, at any time, to request from Lenno JSC to:
• erase, rectify or block his/her personal data, the processing of which does not comply with the applicable legislation;
• notify any third persons to whom personal data have been disclosed of any erasure, rectification or blocking carried out in accordance with the preceding paragraph unless a notification is impossible or involves excessive effort.
Any client in relation to his/her personal data, shall be entitled to:
• object before Lenno JSC the processing of his or her personal data in the presence of a legal basis for this; where the objection is justified, the personal data of the client concerned can no longer be processed;
• object the processing of his or her personal data for the purpose of direct marketing;
• be notified prior to the first disclosure of his or her personal data to third persons or prior to their use for the purpose of direct marketing, as the respective client shall be entitled to object such personal data disclosure or use.
2. Complaint before a supervisory authority
You have the right to submit a complaint directly to the supervisory authority, i.e. Commission of Personal Data Protection, having its seat address at: 2 Prof. Tsvetan Lazarov, 1592 Sofia, Bulgaria (www.cpdp.bg).
In case you have any questions and / or complaints about the processing of your personal data and / or the exercise of the above rights, you can contact the Data Protection Officer (on the contacts detailed above).
Upon assessing the appropriateness of the investment services provided by Lenno JSC and the investment activities carried out, Lenno JSC DOES NOT perform profiling as the processing of your personal data is not automated. The preparation of the assessment is strictly individual for each client and is done in accordance with the requirements of the law by certain employees to whom the Lenno JSC has commissioned this assessment.
4. Objection against the direct marketing
You have the right to object to the future processing of your personal data for the purposes of direct marketing and advertising as well as to disclosure to third persons and personal data use on their behalf for the purposes of direct marketing and advertising by withdrawing your consent at any time. For this purpose, you can send an electronic message requesting the respective suspension of your personal data use for the purpose of a direct marketing at: privacy [at] lenno.com.
5. Can you refuse to provide personal data to Lenno JSC and what are the consequences of it?
Non-provision of such data may impede the ability to assess the appropriateness and expedience of personal data processing and lead to obstruction for providing you with the type of service you have requested and / or to conclude a contract under the terms and conditions you require.
6. Portability of personal data.
You have the right to request that your personal data be transmitted or transferred to another data controller in a structured, widely used and machine readable format. If it is technically feasible, Lenno JSC shall transfer the data directly. In order to facilitate the workflow and reduce the engagement of its clients, the companies of the Lenno holding structure shall be entitled to transfer personal data in order to provide new services within the holding structure and without the express request of the clients.
HOW DOES LENNO JSC PROTECT YOUR DATA
Lenno JSC applies organizational, physical, IT and other required measures to ensure the security and protection of your personal data and the monitoring of the processing of personal data.
These security measures include, but not limited to, the following activities:
• Lenno JSC has established the requirements for processing, registering and keeping personal data by implementing internal procedures, the observance of which is constantly supervised;
• The access of Lenno JSC employees to personal data and permission to process personal data in the Lenno JSC database is limited, depending on their duties;
• Lenno JSC has established confidentiality obligations for its employees;
• Access to the office equipment of Lenno JSC and the computers of each employee is limited;
• For maximum security when processing, transferring and keeping your personal data, Lenno JSC may use additional protection means such as encryption, pseudonymisation, etc.;
• The security measures applied are subject to constant improvement and adaptation to state-of-the-art technologies.