PRIVACY NOTICE
If you want to read our updated privacy notice in a different language, please select the country below.
This Privacy Notice sets out how we collect, use, process and store your personal data, and what are your rights regarding your personal data.
This Privacy Notice applies as of 25 May 2018 and is accessible on our website http://www.ddm-group.ch/data-privacy. Any future changes to the Privacy Notice will be posted there as well.
1. Who is the controller of your personal data
The data controller in respect of your personal data is DDM Group AG, Landis & Gyr Strasse 1, 6300 Zug, Switzerland. In this Privacy Notice, we will refer to this company as "DDM". Apart from DDM, other companies within our group may also process your personal data - see Section 4.2 of this Privacy Notice.
The representative of DDM in the European Union (EU) is DDM Invest VII, finančne storitve, d.o.o., Dunajska cesta 9, 1000 Ljubljana, Slovenia, ID number: 7109806000, telephone: 0041 41 766 14 23, email: . In this Privacy Notice, we will refer to this company as "EU representative".
For any questions or concerns regarding your personal data collected and processed by us, or if you wish to use any of your rights in relation to your personal data (we describe these in Section 7 of this Privacy Notice), you may contact either:
- our EU representative at 0041 41 766 14 23 or ; or
- our Data Protection Officer at .
2. Personal data we collect about you and how we obtain them
We obtain your personal data either from you directly or from other sources, as further explained in this Section. We explain why we collect your personal data in Section 3 below.
2.1. Personal data you share with us
You may provide us with your personal data yourself, for example when you contact us in any way, either by telephone, email or by regular mail, and when you talk to our staff in person or fill in forms intended for us. While it will be up to you to decide which exact personal data to share in such case, these will typically be in relation to a contract you have with us or another company within our group, and may include contact, financial or educational data, or data related to your employment or assets you own. Such personal data may be of similar types as those listed in Section 2.2 below.
2.2. Personal data we receive from other sources
We also receive your personal data from other sources, such as:
- our business partners with whom you had a business relationship in the past and who transferred your personal data (collected under contract or because you have consented for them to do so for a specific purpose) to us; for example, if you took out a loan or entered into a leasing agreement with a bank or a leasing company, we received your personal data when we acquired such loan or leasing agreement from the bank or the leasing company;
- companies within our group, for example DDM Invest III AG (based in Switzerland), DDM Invest VII, d.o.o. (based in Slovenia), DDM Invest V d.o.o. (based in Slovenia), DDM DEBT ROMANIA S.R.L. (based in Romania) and DDM Debt Management d.o.o. Beograd (based in Serbia); these companies provide us with information they obtain, including personal data, while managing specific assets which they own (for example a loan receivable owed by you);
- other third parties, including, for example, courts, regulators and other public authorities, business partners, sub-contractors in technical, payment and delivery services, analytics providers, search information providers, credit reference agencies, and background checking agencies; we may receive your personal data from them as part of the service they perform for us, or for legal reasons;
- publicly available sources such as the court and business register, land register, internet and other media.
Types of personal data we collect about you in this way include:
- your personal details (name, address, date, place of birth, nationality, personal ID, gender, occupation, education, marital status, employment status, income, family income, income description, number of children, phone number, email and other contact details, etc.);
- authentication data (for example specimen signature);
- data related to the fulfilment of your contractual obligations (for example turnover data in payment transactions and data on your payments under the contract you have with us or with another company within our group);
- information about your financial status (for example, creditworthiness data, scoring or rating data, etc.);
- data from public registers and courts, for example, data on your real estate ownership from the land register or ownership of shares in companies from the business register or central clearing corporation, data as to whether you are a party in civil, enforcement or insolvency proceedings;
- recordings of business-related telephone conversations;
- information from your electronic communication with us (for example emails, letters, etc.);
- data created by our processing of your personal data listed here.
3. Why we collect your personal data and what is the legal basis for doing so
This table summarizes why we collect and process your personal data and what legal basis (reasons) we have to do so. Information in this table applies to personal data collected from you directly (see Section 2.1 above) as well as to personal data that we obtain from other sources (see Section 2.2 above).
Purpose of collection (why we collect) | Legal bases (our reasons) |
---|---|
We need your personal data to continue the business relationship you have with us or other companies within our group, to exercise rights under contracts we or other companies within our group have with you and to manage and coordinate our activities in this respect; for example, we need your personal details to contact you to agree on a payment plan, to follow up on your compliance with the plan, or to pursue legal action for debt collection if this is necessary; likewise, we need your financial information and data on asset ownership to develop a payment plan appropriate for your situation and to assess your credit score. | • processing is necessary for performance of a contract you are a party to • processing is necessary for our legitimate interest: - being in the investment business, it is our commercial interest to collect on the claims owned by us or other companies within our group, for which we need to be able to contact you or pursue legal action; - to do our business efficiently, we need to organize our activities around certain criteria, which will often be based on personal data of debtors. |
Sometimes we or other companies within our group need to process (in particular transmit and store) personal data to act in accordance with the law; this may for example be necessary under anti-money laundering rules or consumer credit regulation. | • processing is necessary for the fulfilment of our legal obligations. |
We or other companies within our group need to analyse personal data to prevent debtor fraud and to implement fraud prevention; for example, we may obtain personal data from a background checking agency to verify whether our existing information is correct. | • processing is necessary for our legitimate interest: it is in our commercial interest to safeguard against fraud. |
4. Who we share your personal data with
Within DDM, your personal data is processed mainly by our departments and employees responsible for managing contractual relationships and ensuring we comply with the law, for example case handlers in charge of your case, credit boards and committees, business analysists, accounting department, legal department, compliance department and internal auditors.
When and only to the extent this is needed for purposes we described in Section 3 of this Privacy Notice, we share your personal data outside of DDM, with other companies in our group or with third parties. In any case, we only share personal data with companies or third parties based in European Union / European Economic Area or Switzerland (see also Section 5 below). Here, we list with whom we share your personal data in this way:
- companies within our group, for example DDM Debt AB (based in Sweden) and DDM Invest VII, d.o.o. (based in Slovenia);
- service providers, agents, subcontractors and other companies whose activities are connected to debt collection;
- courts, regulatory agencies and any other public authorities;
- fraud prevention agencies;
- cloud storage providers;
- banking and financial services providers that help us finance our business;
- credit reference agencies for assessing your credit score;
- generally, all companies and organizations from whom we obtain your personal data, as listed in Section 2.2 of this Privacy Notice; among these, we only share personal data with companies and organizations based in European Union / European Economic Area or Switzerland (see also Section 5 below);
- if assets of DDM (or one or more companies within the same group) would be acquired by a third party, your personal data held by DDM or such company that relates to any such asset will transfer to the acquirer.
In addition, we may, from time to time, provide third parties with data that has been aggregated or anonymized. This means that your personal data that could be used to identify you have been removed from such aggregated or anonymized data. Data provided to third parties in this way is not personal data.
5. Where we store your personal data and where do we transfer it
We store and process your personal data on locations inside European Union / European Economic Area (“EEA”) and Switzerland.
European Commission has recognized Switzerland as a country with adequate level of protection of personal data, and issued so called adequacy decision in this respect.
You can take a look at the adequacy decision on this link:
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518
or learn more on adequacy decisions on this link: - https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en#dataprotectionincountriesoutsidetheeu.
At the moment, information on this topic is generally available on the website of the European Commission (https://ec.europa.eu/info/index_en) under "Policies, information and services" tab, in the "Law / Law by topic / Data protection / Data transfers outside the EU" sub-section. Please note that the European Commission may change the online location of these information in the future.
6. How long will we keep your personal data
Due to the nature of our business and contractual relationships we or other companies from our group have with you, we cannot state precisely for how long we will keep your personal data. This period will be dependent on several factors, such as the duration of the contract concluded with you, statutory or contractual limitation period in respect of certain rights and obligation stipulated in the contract with you and compliance and regulatory requirements imposed to us by law. However, in any case we retain your personal data only for as long as is necessary for the purpose for which we obtained them. We list some examples of how we decide on how long to keep your personal data below.
6.1. Personal data used to perform a contract
In relation to your personal data used to perform any contractual rights and/or obligations with you, we may retain that personal data whilst the contract remains in force and until you or we (or another company from our group) completely fulfill their obligations, allowing for reasonable time after that for updating of our records.
6.2. Personal data needed for legal proceedings
In relation to any personal data where we reasonably believe it will be necessary to defend, prosecute and/or make a claim against you, us or a third party, we may retain that personal data for as long as the claim could be pursued under the applicable law or otherwise needed in such legal proceedings.
6.3. Personal data used for compliance requirements
In relation to any personal data used to comply with anti-money laundering, anti-terrorism financing, tax, audit or similar data retention requirements, we shall not store and use such personal data longer than we are required to do so under the specific retention requirement.
7. Your rights
Below is the summary of rights that you have under law, and what DDM does to protect those rights. You may contact our Data Protection Officer at (or our EU representative at ) if you wish to know more or to use any of these rights.
7.1. The right to access your personal data
You have the right to
- obtain from DDM confirmation as to whether or not personal data concerning you are being processed; and
- access your personal data by receiving a copy thereof.
Please contact our Data Protection Officer at or our EU representative at if you wish to access your personal data held by DDM.
7.2. The right to correction (rectification)
If the personal data DDM holds about you are inaccurate or not complete, you have the right to ask us to correct them. If that personal data has been passed to a third party, we will ask them to correct the data, unless this is impossible or requires disproportionate effort on our part. We will tell you to which third parties your personal data has been passed if you ask us to. We may need to verify the accuracy of the new data you provide to us. Please contact our Data Protection Officer at or our EU representative at if you need us to correct your personal data.
7.3. The right to erasure
This is sometimes called ‘the right to be forgotten’. You can ask us to erase all your personal data held by us and we will do so in these cases:
- your personal data are no longer necessary for the purposes we processed or collected them for;
- if you withdraw your consent to process your personal data – but only in cases where we have no other legal basis to do so apart from your consent;
- if you object to the processing of your personal data and there are no overriding legitimate grounds for the processing (see right to object in Section 7.6 of this Privacy Notice);
- it turns out your personal data have been unlawfully processed;
- your personal data must be erased because the law requires us to.
Note that we may not erase your personal data even if you request us to in some cases, in particular when their processing is necessary for us to comply with the law (e.g. where we are legally required to keep the data) and for establishment, exercise and defence of legal claims. Please contact our Data Protection Officer at or our EU representative at if you wish to request the erasure of your personal data held by DDM.
7.4. The right to restrict processing
You have the right to ask DDM to restrict how we process your personal data. This means that we are permitted to store your personal data but not further process it. We will restrict processing of your personal data in the following cases:
- if you want us to establish the data's accuracy; we will restrict processing for the time needed to establish accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it (see Section 7.6 of this Privacy Notice on your right to object); we will restrict processing for the time needed for such verification;
When we restrict processing only temporarily (first and last case above), we will let you know when the restriction is lifted. Note that we are permitted to process your personal data in certain cases even if the processing is restricted, for example for establishment, exercise or defence of legal claims, protection of rights of other persons or for reasons of important public interest. If you want to request us to restrict processing of your personal data, please contact our Data Protection Officer at or our EU representative at .
7.5. The right to data portability
You can ask us to send you your personal data which you have provided to us yourself (see Section 2.1 of this Privacy Notice) in structured, commonly used and machine-readable format (this means that the data can be easily understood by a computer). You have the right to transfer such personal data to a different company (data controller), or ask us to do so directly. We will send you such personal data in case:
- we have been processing your personal data because you gave us your consent to do so or to perform a contract you have with DDM or another company within our group; and
- we process your personal data by automated means (this means for example that we cannot give you your personal data in this form if we only have it in paper files).
Please contact our Data Protection Officer at or our EU representative at on more information on how to use this right.
7.6. The right to object
When the legal basis for us to process your personal data is our legitimate interest, and you feel that because of your particular situation you no longer wish us to do so, you can at any time object to further processing of your personal data. In this case, we will stop processing your personal data. Note however that we are still allowed to continue to process your personal data even if you object, if our legitimate interests in a particular case outweigh your interests, rights and freedoms (meaning that your rights are not affected disproportionally, while it is important to us if we can continue processing), as well as for the establishment, exercise or defence of legal claims. If you object to the processing of your personal data, please contact our Data Protection Officer at or our EU representative at .
7.7. The right to withdraw consent
If we process your personal data on the basis of your consent but you change your mind later, you have the right to withdraw your consent at any time, and DDM will stop processing your personal data. If you withdraw your consent, our processing prior to your withdrawal will remain lawful. If you want to withdraw your consent, please contact our Data Protection Officer at or our EU representative at .
7.8. The right to complain to a supervisory authority
You have the right to complain to a personal data protection supervisory authority if you believe our processing of your personal data may be against the law. You may complain either to a supervisory authority in the place of your habitual residence (where you live most of the time), in the place where you work or in the place where you believe infringement may have happened. Depending on your choice, these supervisory authorities may be relevant to you if you wish to complain:
- Swiss Federal Data Protection and Information Commissioner (FDPIC); you can find their contact details at https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
- Croatian Personal Data Protection Agency (AZOP); you can find their contact details at http://azop.hr/
- Czech Office for Personal Data Protection; you can find their contact details at https://www.uoou.cz/en/
- Romanian Data Protection Supervisory Authority; you can find their contact details at http://dataprotection.ro/?page=contact&lang=ro
- Slovenian Information Commissioner; you can find their contact details at https://www.ip-rs.si/
- Slovak Office for Personal Data Protection; you can find their contact details at https://dataprotection.gov.sk/uoou/en/content/contact