Data protection policy of Julianus Inkasso OÜ
1. The purpose of the data protection policy
1.1 The purpose of the data protection policy is to provide those people whose personal data is processed by Julianus Inkasso OÜ (“Julianus Inkasso”) in their daily activities with information about which personal data, how and for what purpose is processed by Julianus Inkasso, and what the person’s rights are in relation to the processing of their personal data.
1.2 Disclosure of data protection policy fulfills the notification obligation arising from Articles 13 and 14 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation).
1.3 The definitions given in the General Data Protection Regulation have the same meaning in the data protection policy as in the General Data Protection Regulation.
For more detailed information or if you have any questions, you can contact Julianus Inkasso using the contact information provided in clause 2.1.
2. About the processor
2.1 Julianus Inkasso OÜ, with registry code 10686553, address Harju County, Tallinn, Põhja-Tallinn district, Toompuiestee 35, 10149, is a company providing debt collection services. The contact phone number of Julianus Inkasso is +372 681 4400, and the email address is inkasso@julianus.ee. The data protection specialist’s email address is andmekaitse@julianus.ee.
2.2 Julianus Inkasso is the controller of personal data if Julianus Inkasso has acquired a debt claim and collects the debt in its own name. We also offer an e-collection solution, processing the personal data of our cooperation partners or creditors (from natural persons) or representatives of creditors when offering our services.
2.3 Julianus Inkasso is the authorized processor in the processing of personal data of the debtors and in the collection of debt claims, the personal data of other related persons if Julianus Inkasso collects the debt on behalf of its client, i.e., on behalf of the creditor. In this case, the controller is the respective creditor.
3. Application of data protection policy
3.1 Julianus Inkasso is based on this data protection policy whenever it processes personal data in the provision of its services or processes the personal data of a cooperation partner or client or the aforementioned representatives. The data protection policy also applies to e-collection, self-service, and the processing of data from visitors to the Julianus Inkasso website (as personalized data). Julianus Inkasso’s work is always based on the principles stated in the data protection policy and the data subject’s rights when processing personal data.
3.2 Julianus Inkasso can unilaterally change this data protection policy. Material changes will be noted either on the Julianus Inkasso website, by email, or in another suitable way.
3.3 The Data Protection Inspectorate of the Republic of Estonia (https://www.aki.ee/et) is Julianus Inkasso’s supervisory authority in the processing of personal data.
3.4 Julianus Inkasso is not responsible for web links on its website, or in other web solutions it manages, which lead to the pages of other service providers. The pages of other service providers are governed by the terms and conditions of the respective service providers. Processing of personal data in Julianus Inkasso’s social media channels takes place in accordance with the platform’s privacy policy (processing by the respective platform provider) and in accordance with this data protection policy and platform requirements (processing by Julianus Inkasso). If Julianus Inkasso uses third-party software during the provision of its service, these software providers process personal data in accordance with their privacy policy and the data processing agreement between Julianus Inkasso and the respective service provider (if any).
3.5 This Julianus Inkasso data protection policy is a translation of the Estonian language document. In the event of a dispute or interpretation, the basis and starting point is the Estonian language version of the original document of Julianus Inkasso’s data protection policy, which is legally binding and is available here: https://julianus.ee/andmekaitsetingimused/
4. Data processing principles, categories, and sources
4.1 Julianus Inkasso is based on the following principles when processing personal data: legality, fairness, transparency, purposefulness, collection of as little data as possible, accuracy, limitation of storage, integrity, confidentiality, and integrated data protection and default data protection.
4.2 Julianus Inkasso processes the personal data of the following data subjects: natural person client (creditor), legal person client (creditor) board member or employee, natural person debtor and legal person debtor board member, third parties involved in debt proceedings (e.g., the person who pays the debt on behalf of the debtor) and guarantors, heirs, representatives. Julianus Inkasso may process the personal data of a deceased person.
4.3 Julianus Inkasso mainly receives personal data from the client creditor. However, the following types and sources of personal data may also be processed during the provision of the service:
4.3.1 Details of the creditor or its representative: full name, strong authentication success information (if used), username (if used); contact details (email/telephone), correspondence/communication, position, authorizations; if a company, then company information, including representative details; confirmation of the correctness of the data – generally provided by the creditor; the check can be carried out based on the data of the Commercial Register and/or Krediidiregister OÜ;
4.3.2 Debtor: information may depend on the circumstances, generally: full name, strong authentication success information (if used), username (if used), social security code/date of birth, contact (address, phone number, email address), debt information; tax behavior information, property status information (real estate, holdings, etc.), payment default information – information is generally obtained from the creditor, but in part the information can be obtained and checked from various public registers or with the help of service providers (Population registry, other inquiries depending on the circumstances: publication Ametlikud teadaanded, Transport Administration, Marital Property Register, Succession Register, Land Register, information from bailiffs);
4.3.3 Claim/debt information: amount, payment information (e.g. partial payment information), type, circumstances (time of occurrence and other circumstances), related documents; other information provided by the parties, which may contain personal data (depends on the requirement – contract, correspondence, certificates, etc.) – information generally provided by the creditor; the debtor can provide information on their part – the check can be carried out from various public registers or with the help of service providers (Population Register, other inquiries depending on the circumstances: publication Ametlikud teadaanded, Transport Administration, Marital Property Register, Succession Register, Land Register, information from bailiffs);
4.3.4 Third-party information: persons related to the debt, e.g., guarantor or successor, information of the person who paid off the debt of another person, representative information, etc. – generally full name, social security number/date of birth, contact details, connection to the debtor/debt – generally obtained from the creditor or from other sources when checking the debt data;
4.3.5 Technical information/usage data: data generated when using e-collection and self-service and visiting the website – strong authentication information, service usage information and history, the user name (if any), logs (login and movement), date and time, computer operating system and browser used, the country from which our website is visited, time zone, request content, access status code, volume of transmitted data, browser settings, browser software language and version, active browser plug-ins, IP address, other data collected through cookies (more information in the cookie solution on the website) – recording of the data subject’s activity in e-collection, self-service and on the website;
4.3.6 Information obtained from public registers and service providers: Julianus Inkasso verifies the information submitted by the creditor to a reasonable extent, including information about the creditor themselves from various public registers and service providers (Population Register, other inquiries according to the circumstances: Publication Avalikud teadaanded (information about public announcements – date, type of announcement, preview of announcement), Transport Administration, Marital Property Register, Succession Register, Land Register (number of registered immovables), Commercial Register, Krediidiregister OÜ and Creditinfo Eesti AS, information from bailiffs; Tax and Customs Board (existence of tax debt, date, type of claim, timing, dispute); Riigi Teataja (number of court decisions). Thus, Julianus Inkasso processes the corresponding information that is provided in the registers/sources;
4.3.7 Payment default information, availability of debt information, claimant information, claim date/end date, claim information (principal debt + secondary claims; state fee, representation fee (if any)); document proving the debt, field, status, dispute, contact details of the debtor (email/telephone/address, index/residence), creditor’s comment (if any) – source when entering the creditor’s debt data, Population Register;
4.3. 8 Data related to the dispute (personal data varies depending on the dispute, but generally: name, personal identification number, the content of the dispute, result) – directly from the data subject, creditor, and data generated during the procedure.
4.4 Processing of personal data in various services/solutions:
4.4.1 E-collection (for the creditor): In Julianus Inkasso e-collection, the creditor can submit debt claims and check the status and information of debt claims by logging in with strong authentication and/or password. In this case, Julianus Inkasso processes the data provided by the creditor, debtor, and debt information, as well as creditor information and technical information from e-collection.
4.4.2 Self-service for the debtor: The debtor can see and check their information through self-service. The debtor can also pay their debt through self-service. Through self-service, Julianus Inkasso processes strong authentication success or other login information (with password) and debtor, debt, payment (if performed), and technical information.
4.5 In addition, Julianus Inkasso may also process the following types of personal data:
4.5.1 Image of the data subject in video recordings at our physical locations (remaining on security camera recordings);
4.5.2 payment data (invoicing) of the client /cooperation partner (if a natural person) – payment and claim data collected during accounting (including current account data, etc., if appropriate);
4.5.3 other data of the client/cooperation partner/debtor (if a natural person) and representatives – for example, feedback/ data provided as feedback in surveys;
4.5.4 other data provided by the data subject (in communication with us or e-collection/self-service, email, chat, telephone conversations, recordings thereof);
4.5.5 other collected or combined data (information collected through cookies with the consent of the data subject).
4.6 More detailed information about the processed personal data, the basis, and the purposes of the processing can be found at Annex 1 – Overview of processed personal data.
5. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
5.1. If Julianus Inkasso collects a debt on behalf of a creditor without acquiring the claim itself, then Julianus Inkasso is the authorized processor, and the creditor is the controller. In such a situation, Julianus Inkasso is based on the agreement with the creditor, and the basis of the processing is the same as the controller (generally, either legitimate interest or performance of the contract).
5.2 Julianus Inkasso is the controller when the debt claim is acquired. In such a case, the basis for processing a debt claim upon demand is generally legitimate interest and § 10 of the Personal Data Protection Act.
5.3 Julianus Inkasso is also the data controller for the provision of e-collection and self-service regarding its website, the personal data of its employees and its customers/cooperation partners (natural persons), and legal persons of representatives of customers/cooperation partners. When offering e-collection to a creditor as a customer (a natural person), the processing is generally based on a contract (General Data Protection Regulation art. 6 (1) b); however, the processing of data of debtors and other persons is generally carried out on the basis of legitimate interest.
5.4 In addition to the above, Julianus Inkasso may process personal data on the following grounds and purposes:
5.4.1 Processing of personal data on the basis of consent (General Data Protection Regulation art. 6 (1) a). On the basis of consent, Julianus Inkasso processes personal data precisely within the limits, to the extent and for the purposes for which the data subject has given their consent. The data subject’s consent must be freely given, specific, informed, and unambiguous (e.g., ticking a box on a website). The data subject always has the right to withdraw their consent at any time. Withdrawal of consent does not affect the legality of the processing of personal data based on consent prior to the withdrawal of consent.
5.4.2 Processing of personal data for the conclusion and performance of a contract (General Data Protection Regulation art. 6 (1) b). When concluding and performing the contract, we may process personal data for the following purposes:
(a) taking of measures before the conclusion of the contract, which is necessary for the conclusion of the contract or which the data subject requests (then the full name, contact data, personal identification data, other background check and authorization data are used);
(b) fulfilling assumed obligations (e.g., billing) (payment information, account information, service usage information);
(c) communication-related to the provision of the service, including sending information and reminders about the execution of the contract or the use of the service (service use information, contact details);
(d) protection of rights and claims (depending on the data, all collected data may be used);
(e) detection, prevention, and resolution of technical problems (depending on the problem, all collected data may be processed);
(f) providing and maintaining the service, including monitoring the use of the services and website provided by Julianus Inkasso (mainly website usage data is used, but all data may be processed).
5.4.3 Processing of personal data due to a legal obligation (General Data Protection Regulation art. 6 (1) c). In this case, Julianus Inkasso processes personal data to fulfill a legal obligation in accordance with the law and to the extent stipulated therein. For example, there is an obligation to preserve accounting documents arising from the Accounting Act, employment contracts, and other specific employment relationship information arising from the Employment Contracts Act.
5.4.4 In addition to the aforementioned legitimate interest (General Data Protection Regulation art. 6 (1) f) in connection with the collection of debt claims and the provision of Julianus Inkasso services, Julianus Inkasso may also use the legitimate interest as a basis for processing personal data for the following purposes:
(a) development of services and website (mainly anonymously; depending on the development, however, all data may be used);
(b) to ensure a better experience to provide higher quality services, Julianus Inkasso can monitor the use of its service and website, analyze the identifiers and personal data collected when using the website, service, social media pages, and other sales channels, and collect statistics about partners, users, and visitors; usage data may also be processed;
(c) sending offers/information to a customer or potential customer if the person concerned has previously purchased or shown interest in a similar product and if such processing is permitted in a particular jurisdiction. In this case, the person is always guaranteed a simple option to opt out of the communication, and Julianus Inkasso has taken into account their own interests as well as those of the (potential) client. If you have informed us that you do not wish to receive such offers/information, we will retain information about such prohibition;
(d) providing feedback/making surveys and measuring the effectiveness of marketing activities (customer and debtor contact data and general service usage data are used);
(e) Julianus Inkasso can make recordings and log data, including technical data; Julianus Inkasso stores messages sent on its own premises as well as via means of communication (email, telephone, etc.), as well as information provided by itself and other activities. If necessary, these recordings are used to prove/present/defend the information or other activities/claims presented in the communication, detect possible personal data violations, and resolve claims of the data subject. The recordings may also be used to make sure that the employees of Julianus Inkasso follow the good practice of the procedure and, in particular, the requirements arising from the legislation in their communication with the debtor;
(f) technical and cyber security reasons, such as measures to combat piracy and ensure the security of the website, as well as to make and maintain backup copies and to prevent/eliminate technical problems (depending on the problem, all data may be processed);
(g) processing for organizational purposes, in particular for the management and processing of personal data for the purposes of internal management (as well as for audits and other possible supervision), including the processing of personal data of customers or representatives (mainly general use of services and customer data);
(h) preparation, submission, or defense of legal claims, including assignment or transfer of claims (depending on the claim/problem, all data may be processed);
(i) for the purposes of administration, strategic management, and service provision, we may transfer personal data between group companies on the basis of legitimate interest (generally customer information, debt information if necessary);
(j) for enabling business transactions, e.g., if we or our group company is involved in a merger, acquisition, or sale/purchase of assets, we may transmit and receive personal data necessary to complete the transaction;
(k) viewing, perusing, and forwarding payment defaults (Julianus Inkasso can forward and receive information from the default payment registers managed by Krediidiregister OÜ and Creditinfo Eesti AS) (see also clause 6.1).
The data subject has the right to get acquainted with the legitimate interest assessment evaluating the processing of his personal data by writing to andmekaitse@julianus.ee. Julianus Inkasso identifies (e.g., by means of a digitally signed request) the data subject before completing the request or issuing personal data.
5.5 If Julianus Inkasso processes personal data for a purpose other than the one for which they were originally collected, if the processing is not based on the consent of the data subject or on European Union or Member State law, then Julianus Inkasso carefully evaluates the permissibility of such new processing. In order to determine whether processing for a new purpose is compatible with the original purpose of collecting personal data, the following shall be taken into account, among other things:
(a) any connection between the purposes for which the personal data is collected and the purposes for the intended further processing;
(b) the context of the collection of personal data, in particular, the relationship between the data subject and the processor;
(c) the nature of the personal data, in particular, whether special types of personal data or personal data related to convictions and crimes are processed;
(d) possible consequences of the planned further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymization.
6. RECEIVERS, PROCESSORS, AND FORWARDING OUTSIDE THE EEA
6.1 Julianus Inkasso may transmit the debtor’s payment default data for disclosure on the taust.ee website (Krediidiregister OÜ) and creditinfo.ee website (Creditinfo Eesti AS) for the sake of the reliability of transaction turnover and in accordance with the General Data Protection Regulation, the Personal Data Protection Act, and the current instructions of the Data Protection Inspectorate. In accordance with the applicable regulation, Julianus Inkasso may transmit and disclose information about legal entity debtors and related persons.
6.2 Julianus Inkasso may forward data related to debt claims and payment default data to companies belonging to the same group and to OÜ Julianus Õigusbüroo, which provides creditor representation services in court and enforcement proceedings. Also, Julianus Inkasso may transfer its own or its customers’ debt claims from its European Collectors Association member cooperation partners in foreign countries for collection, following the necessary requirements and implementing security measures. Julianus Inkasso uses software programs in their daily work, the providers of which adhere to the agreed measures to ensure the protection of personal data.
6.3 Julianus Inkasso may issue personal data to state authorities (police, security agencies, prosecutor’s office, etc.) and courts on the basis of legislation requiring the release of data for the purpose of fulfilling information requests from state authorities and courts. The request and related correspondence and documents will be stored for up to 10 years from the date of fulfillment of the data protection requirement or its justified refusal.
6.4 In addition to the above, Julianus Inkasso may transfer personal data to its cooperation partners or service providers, who are bound either by a duration contract or a one-time service provision contract. In addition, cooperation is carried out with persons to whom the personal data of the data subject may be transferred within the framework of cooperation and for this purpose. Such third parties are:
(a) advertising and marketing partners (generally receive website usage data in non-personalized form, contact data);
(b) companies organizing customer satisfaction surveys (get contact information);
(c) other debt collection service providers (name, contact details, debt information);
(d) various advisors, e.g., legal service providers (depending on the service, they may have access to all personal data);
(e) payment default registers (relevant debtor and payment default data),
(f) ICT partners, i.e., providers of various technical services (depending on the service, they may have access to all personal data);
(g) invoice forwarding service providers (name, contact details, invoice details);
(h) provided that the respective purpose and processing are lawful, and in the case of authorized processing, personal data is processed in accordance with our instructions and on the basis of a valid contract.
6.5 As a general rule, Julianus Inkasso does not transfer personal data outside the European Economic Area (EEA). Should the transfer outside the EEA take place, then in compliance with the requirements of Chapter 5 of the General Data Protection Regulation. For example, personal data may be transferred if there is a protection adequacy decision* (see Article 45 of the General Data Protection Regulation) or the EU standard terms and conditions (see Article 46 of the General Data Protection Regulation) or if the company is included in the new EU-US Data-Privacy Framework list***. Julianus Inkasso takes all reasonably necessary measures to ensure that personal data is processed securely and in accordance with this data protection policy. More information about transfers outside the EEA can be obtained by writing to the email address andmekaitse@julianus.ee.
*Adopted protection adequacy decisions can be found here.
**The text of EU standard clauses can be found here. The data subject can ask for the text of specific standard clauses related to the transfer of their personal data.
*** The Data-Privacy Framework list can be found here.
7. PERSONAL DATA STORAGE PERIOD
7.1 As the controller, Julianus Inkasso follows the purpose of the processing when choosing the storage time of personal data, the expiration dates of claims in case of possible claims, and the storage periods stipulated by law. Personal data is stored as long as necessary, depending on the purpose of the processing. Certain personal data is stored in accordance with the requirements of the applicable law, e.g., accounting data for seven years and employment contract data for ten years. Personal data whose retention period has expired will be destroyed or anonymized. Personal data for which we are the authorized processor is stored in accordance with the controller’s instructions.
7.2 Julianus Inkasso generally stores personal data related to the provision of debt collection services and the acquisition and collection of debt claims for 15 years due to the combined effect of Section 146, “Expiry of the limitation period for claims arising from transactions” subsection 4 (10 years) of an Act on the General Part of the Civil Code and § 10 Section 2 subsection 5 (5 years) of the Personal Data Protection Act. Due to suspension of expiration (e.g., negotiation time) and interruption, the actual data storage period may be longer by the time of suspension/interruption. We may store personal data related to a claim arising from an effective court decision or other enforcement document, including in enforcement proceedings, for ten years from the decision/enforcement document (§ 157 of an Act on the General Part of the Civil Code), considering that the suspension and interruption of the expiration may extend the storage period.
7.3 We store personal data related to customers, service consumption, and disputes during the validity of the contract for an additional ten years to protect possible legal claims.
7.4 As a rule, call recordings are not kept for longer than five years. The recording of the call may be kept for longer than it is used as evidence and is necessary for presenting and defending legal claims, including in court. In this case, the recording will be kept until the end of the relevant proceedings.
8. RIGHTS OF THE DATA SUBJECT
8.1 The data subject has the right to receive information about whether and how Julianus Inkasso processes their personal data. The data subject’s rights are not absolute, and Julianus Inkasso must assess each request to determine whether and to what extent the data protection legislation enables the request to be fulfilled. For example, Julianus Inkasso does not delete data related to default data on debt claims and payments because processing these data is necessary for the preparation, submission, and defense of legal claims. This is the basis for refusal of deletion according to the General Data Protection Regulation.
8.2 The data subject has the following rights arising from the General Data Protection Regulation:
8.2.1 The data subject has the right to access their personal data being processed, as well as to receive a copy of their personal data.
8.2.2 The data subject can request correction of their personal data and restriction of processing.
8.2.3 The data subject may demand the deletion of personal data for which the person has given consent, and the processor has the right to consider the deletion of personal data processed on other legal grounds (legitimate interest) in certain cases, e.g., in the case of a legal processing obligation, deletion does not take place.
8.2.4 The data subject can object to the processing of their personal data and demand the termination of the processing of their personal data.
8.2.5 As a general rule, Julianus Inkasso does not process personal data based on consent. However, in the case of cookies, for example, the data subject can withdraw their consent to the processing of personal data at any moment. The withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal.
8.2.6 The data subject has the right to transfer certain personal data; that is, in certain cases, the data subject has the right to receive the personal data in a machine-readable form with them or to transfer it to another controller.
8.2.7 The data subject has the right to get acquainted with the legitimate interest analysis of the data processing concerning their personal data (to get acquainted with the legitimate interest analysis, please send a request to the email address andmekaitse@julianus.ee; to avoid issuing data to the wrong person, please digitally sign the request).
8.2.8 The data subject has rights regarding automated processing and profile analysis. The data subject, based on their specific situation, has the right to object at any time to the processing of personal data concerning them on the basis of automated decisions/profile analysis and to demand human intervention. The data subject may also request an explanation of the logic behind the automated decision-making. For the sake of clarity, Julianus Inkasso’s e-solutions and the software used may contain automatic solutions, but no automatic processing or profiling is used, which significantly affects the data subject or their rights.
8.2.9 If a person is concerned about an alleged violation of the General Data Protection Regulation or other legislation related to personal data at Julianus Inkasso, Julianus Inkasso asks to write to the email address andmekaitse@julianus.ee. If a person is not satisfied with the way Julianus Inkasso resolved their complaint, they have the right to file a complaint with the Data Protection Inspectorate. The contact details of the Data Protection Inspectorate are as follows: telephone +372 627 4135; email address info@aki.ee; postal address Tatari 39, Tallinn 10134. The data subject has the right to contact the data protection supervisory authority of the country of residence or the supervisory authority in the country in which the alleged violation occurred. The contacts of data protection supervisory authorities of the EU member states can be found here. It is also possible to appeal to the court if, in the opinion of the data subject, the processing of personal data violates their rights and interests.
8.2.10 Response and identification of the data subject. Julianus Inkasso will respond to the submitted request within one calendar month; if necessary, it has the right to extend the deadline for responding to the request by notifying the data subject. Julianus Inkasso will appropriately identify the data subject before issuing personal data in order to avoid issuing personal data and information to the wrong person. In general, the identification of the data subject means the digital signing of the request by the data subject.
9. SECURITY
9.1 Julianus Inkasso has established various guidelines and policies to ensure the security and proper processing of personal data. Appropriate organizational and technical measures are also used to ensure the security of personal data. Among other things, Julianus Inkasso does the following to ensure security and confidentiality:
9.1.1 An access level management system is in use;
9.1.2 Personal data is processed according to the purpose and to the extent necessary for the provision of services and for other purposes stipulated in these data protection conditions;
9.1.3 There are software solutions in use that help ensure a level of security that meets at least the market standard.
9.2 In the event of an incident involving personal data, Julianus Inkasso will do its best to mitigate the consequences and reduce such risks in the future. When reporting an incident, the notification requirements of the General Data Protection Regulation are followed.
10. CHANGES
10.1 Overview of changes:
This version of the data protection conditions entered into force on 26.06.2024
The previous version of the data protection conditions was valid until 26.06.2024 and can be found here.