End User Privacy Policy
For us, Easy Payment Services Ltd. (the Company), the protection of your personal data is of primary importance. Therefore, we would like to inform you on what grounds, for what purposes, within what periods and by what means your personal data are processed when you visit our website www.easyps.bg and apply for a provision of a money loan/ conclusion of a payment services contract on part of the Company. We strictly adhere to the applicable data protection regulations in each operation of personal data processing. The General Data Protection Regulation 679/2016 (‘GDPR’) on the protection of natural persons with regard to the processing of personal data shall apply to the territory of the EU, including Bulgaria, with effect from 25 May 2018. It provides you with enhanced data protection rights, to which our more detailed obligations also correspond; more information on this matter may be found below in this Personal Data Protection Policy (the Policy).
1. Introduction
In this Personal Data Protection Policy Easy Payment Services, ‘we’, ‘us’ or ‘our’ means Easy Payment Services Ltd., and ‘you’, ‘your’ and ‘user’ means visitors to our website – www.easyps.bg.
This Personal Data Protection Policy explains and governs:
- how and when we collect your personal data, and what information we collect;
- how and why we use your personal data; and
- your rights to control your personal data.
Please carefully read this Personal Data Protection Policy. By accessing and using our website and services, you confirm that you have had an opportunity to read this Policy, that you understand it and that you agree to be bound by it. If you fail to do so, you must immediately cease using our website and any services provided by us.
We may amend this Policy from time to time to comply with applicable laws and regulations or to meet changing business requirements. You are encouraged to periodically review this page for the latest information on our privacy practices and amendments to our Personal Data Protection Policy. Every time we make an amendment to the Policy, we will notify you of the possible effects of the amendment without delay and in summary on our website www.easyps.bg and in our customer service offices in the territory of the Republic of Bulgaria.
2. General Information.
2.1. Some terms relevant for a better understanding of this Policy:
– ‘Personal Data’ – means any information relating to a natural person, which separately or in combination with other information, may result in their identification or may identify them.
– ‘Data Subject’ – means any alive natural person who is identified or identifiable by means of processed personal data.
– ‘Personal Data Processing’ – means any action that we carry out or may carry out with your personal data, including, but not limited to their collection, analysis or destruction.
– ‘Data Controller’ – with regard to personal data it controls, this is Easy Payment Services. We define the purpose of your personal data processing, on any of the legal grounds to this effect; in principle, we also define the methods for such processing – for example, the technical infrastructure and applications used for the processing. We assume the responsibilities with regard to the security and protection of your personal data.
– ‘Data Processor’ – this is a third party that processes your personal data upon our assignment, whereas Easy Payment Services has strictly defined the purpose and methods of processing, and has verified whether the person meets the requirements of the GDPR. For example, such data processor may be an agency, which is responsible for a marketing campaign of Easy Payment Services in social media and issues reports for its success.
– ‘Personal Data Breach’ means any breach of security, which results in accidental or unauthorized destruction, loss, change, unauthorized disclosure of or access to personal data that are transferred, stored or processed otherwise.
– “Digital Assets” – the website www.easyps.bg, all landing pages supported by the Company, web, native and mobile applications accessible to customers.
3. Who we are?
Easy Payment Services Ltd. is a company, whose objects of activities are execution, after obtaining the necessary license from the Bulgarian National Bank, of payment transactions where the funds are part of a loan granted to the payment service client, execution of the payment transactions by means of payment cards or other similar instruments; issuance of payment instruments and/or acceptance of payments with payment instruments.
4. How can you contact us?
Easy Payment Services Ltd. has its seat and registered office situated in the City of Sofia, 7 Lyulin Residential Area, 28 Jawaharlal Nehru Blvd., ‘Silver Center’ Administrative and Business Center, 2nd Floor, Office No. 40-46, contact phone 0700 200 12. You can contact us by visiting any office in the country or on our website www.easyps.bg.
5. Who is the person within the organization responsible for the protection of my personal data and how can I contact him/her?
Data Protection Officer (‘DPO’) – e-mail: dpo@easycredit.bg, contact telephone – – 0700 200 12.
6. Type, purpose and grounds of processing of personal data collected by Easy Payment Services Ltd.:
Personal Data | Purpose | Grounds |
Full name, national identification number, date of birth, identity card data of the payment card applicant, each nationality of the person | · Identification of an individual -payment card applicant/ contact person; · Identification of a payment card applicant under the Measures against Money Laundering Act (MMLA); · Contacting a payment card applicant; · Assessment of creditworthiness under Article 16 of the Consumer Loan Act (CLA); · Conclusion of a payment services contract; · Provision of a requested service; · Performance of obligations under a payment services contract and general terms and conditions for the conduct of the respective promotion organized by the Company | Performance of a legal obligation |
Telephone conversation record | Improving the quality of service and better protection of personal data of the payment card applicant, as well as their interest and the Company’s interest; proving the conversation subject and complying with the payment card applicant’s information rights | Legitimate interest |
Telephone | · Contacting a payment card applicant · Performance of obligations under an existing payment services contract; | Conclusion/ performance of a contract |
· Offering products and services of Easy Payment Services Ltd.; · Sending advertising messages; | Consent | |
Address | · Contacting a payment card applicant · Identification of a payment card applicant under the MMLA; · Conclusion of a payment services contract; · Provision of a requested service; · Performance of obligations under a payment services contract; | Conclusion/ performance of a payment services contract |
· Offering products and services of Easy Payment Services Ltd.; · Sending advertising messages | Consent | |
E-mail/ short text message (SMS) | · Contacting a payment card applicant · Identification of a payment card applicant under the MMLA; · Conclusion of a payment services contract; · Provision of a requested service; · Performance of obligations under a payment services contract | Conclusion/ performance of a payment services contract |
· Offering products and services of Easy Payment Services Ltd. · Sending advertising messages | Consent | |
Data from the Central Credit Register | Assessment of creditworthiness | Legal obligation |
Data from the registers of the NRA (existence of an employment contract, social security contributions paid for the previous 6 months, pensions) | Verifying the correctness of data provided by a payment card applicant | Consent |
Verification of the personal data stated by a payment card applicant in the databases of related parties | · Prevention of frauds · Assessment of creditworthiness | Legitimate interest |
Data on the validity of an identity card from the website of the Ministry of Interior | Verification of data provided by a payment card applicant | Legitimate interest |
Place of employment, data on the type of contract, length of service, job title, profession, remuneration, total monthly income, education | Assessment of creditworthiness | Legal obligation |
Other credits | Assessment of creditworthiness | Legal obligation |
Property status of a payment card applicant – information on a motor vehicle and/or apartment owned, telephone bill | Assessment of creditworthiness ; | Legal obligation/legitimate interest – in respect of data, which are not expressly stated in Article 16 of the CLA |
How long have you been living at your current address? What is your zodiac sign? | Challenge questions to verify data and prevent frauds | Legitimate interest |
Handwritten signature | Signing a payment services contract and appendices thereto | Conclusion and performance of a contract |
Family status | Challenge questions to verify data and prevent frauds | |
Data of a contact person, identification contact data / full name and telephone number | Ensuring contact with the customer | Declaration by a payment card application that the contact person has voluntarily provided their data and that they have agreed/ consent of the person |
Verification of the contact person’s data in databases of related parties | · Prevention of frauds; · Assessment of creditworthiness | Legitimate interest |
Copy of an identity card | Identification under the MMLA | Legal obligation |
Data on credit card movements (utilization, payments, transactions made) | Performance of obligations under an existing payment services contract | Legal obligation |
Voice – conversation record | Improving service and better protection of personal data of the payment card applicant, as well as their interest and the Company’s interest; proving the conversation subject. | Legitimate interest |
Your personal data will be processed by Easy Payment Services Ltd. only in accordance with the applicable data protection regulations. When you communicate with us through any of the communication channels, you acknowledge that the data provided by you are accurate, correct and up-to-date.
We should inform you that any consent to processing your personal data may be withdrawn at any time by submitting a request in writing to the registered office of the Company situated in the City of Sofia, 7 Lyulin Residential Area, 28 Jawaharlal Nehru Blvd., ‘Silver Center’ Administrative and Business Center, 2nd Floor, Office No. 40-46, and by calling at 0700 200 12. The withdrawal of your consent for the processing of your data will in no way adversely affect the conclusion of a payment services contract and granting of the loan for which you have applied.
7. For how long will my personal data be stored?
Personal data shall be stored for the time periods required to achieve the purposes for which they have been collected. After achieving the purposes for which personal data have been collected, we will destroy them immediately. In the event that after achieving our purposes we decided to store the processed personal data for statistical purposes, this will be done in the form of storage of anonymous data that cannot identify you in any way.
Easy Payment Services Ltd. shall take all necessary technical and organizational measures for the destruction of data that are no longer necessary, except in cases where there is a legitimate grounds for Easy Payment Services Ltd. to process them for a longer period of time; in case of a request submitted by you for restricting processing in accordance with your rights detailed below; or with a view to or compatible with the original purpose for processing of which you will be informed in a timely manner.
Easy Payment Services Ltd. shall store collected personal data within the following periods:
- a) where data are processed on the grounds of a request for loan application – for a maximum period of one year from filing the request for loan application, if the request is not approved; or
- b) where data are processed on the grounds of an existing payment services contract – for a period of 5 years, which shall start as from the date of termination of the payment services contract.
- c) where data are processed on the grounds of a granted consent – until the explicit withdrawal of the consent.
- d) where data are processed for the protection of rights and interests of the Company, which reasonably override the interest of natural persons – until the extinction of the right and/or when interest no longer exists.
After the expiration of the said time periods, if there is no other basis for the processing of the data, they will be erased. For the purposes of obtaining and analyzing information related to financial products and services used and for improving the quality of service, the Company may erase only part of the data. In these cases, it shall continue to store such part of the data that prevents further identification of natural persons.
8. Will my personal data be accessible to third parties?
Easy Payment Services Ltd. will not disclose personal data to Third Parties [1][i] other than their disclosure to related parties for the purposes of prevention of frauds and/or assessment of creditworthiness.
8.1. The following categories of persons, that may be processors on the grounds of contracts entered into with the Company, may also have access to your personal data, namely:
- persons supporting the information systems of the Company located in the Republic of Bulgaria, as well as, where appropriate, the customer service centres in the Republic of Bulgaria;
- persons entrusted with the activities related to drawing up, printing, compiling, delivery (including by SMS-messages or by electronic means) of written correspondence sent by the Company to its customers;
- persons that by virtue of a contract with a Company shall provide assistance to it in connection with the servicing and collection of its receivables from customers;
- persons whom the Company offers to sell its receivables from customers:
- persons who, pursuant to a contract with the Company, shall provide assistance in providing financial products offered by the latter;
8.2. Easy Payment Services Ltd. provides on a regular basis personal data of its borrowers to the Central Credit Register by virtue of its legal obligation. The Company is required to provide personal data on its borrowers to the competent authorities and institutions pursuant to the applicable law and in the event that such information is requested based on legal grounds.
8.3. Easy Payment Services Ltd. shall not transfer personal data to a third country or an international organization outside the European Union.
9. How we protect your personal data?
To ensure adequate protection of the data of the Company and our customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and the General Data Protection Regulation.
The Company has established structures designated to prevent misuse and security breaches and has also appointed a Data Protection Officer supporting the processes related to protecting and ensuring the security of your data.
For the purposes of ensuring maximum security when processing, transferring and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
10. Are my personal data subject to automated decision making, including profiling?
10.1. Yes, they are. The Company may process your personal data using entirely automated means, including profiling you, by assessing your behaviour and other conclusions about various personal aspects concerning you – for the purposes of preventing frauds, offering new products and for marketing purposes, namely – in order to receive the most appropriate advertising messages and marketing communications considering your personal characteristics and interests demonstrated in the past. In none of these cases, profiling will have any material effect on you.
10.2. In addition to the above, please note that you will be subject to completely automated processing, including profiling, for the purposes of assessing your creditworthiness, including what amount of loan could be appropriate for you. In this case, we have an obligation to explain to you the logic of the completely automated processing/profiling in a few simple steps. Personal data shall be examined in the aggregate and individually for a statistically significant connection to events identified as high-risk conditions of the customer – non-payment, fraud. Criteria shall be selected through which supply of machine learning algorithms is carried out, and the result is a summarized mathematical model assessing the probability of realizing some of those risks for a particular customer. Grounds of such processing will be a conclusion of a payment services contract; considering the number of loan applications and the extent of the Company’s activities, the assessment of creditworthiness, which is mandatory under Article 16 of the Consumer Loan Act, could not be made in a different way without resulting in excessive delay.
In this case, if you are not satisfied with the decision announced, you have the right to request a review of the decision by a credit expert of the Company, who has the relevant competencies.
11. Your rights
As a data subject, whose data are processed by Easy Payment Services Ltd., you shall have rights described in details below:
You should consider that the provision of personal data is voluntary – it is necessary for the conclusion of a contract with the Company. In the event that data cannot be submitted, the Company will not be able to provide a product or service.
Easy Payment Services Ltd. shall meet your requests without delay, within 30 calendar days after submitting them. By our decision, we provide or refuse access and/or information requested by the applicant, but we always justify our response. For the purpose of the website of the Company, there is a link to this Policy published on a clearly visible and accessible position.
Your request for exercising your rights will be examined provided that you fill in this form and submit it to us in a manner convenient to you:
– in person or by a proxy who has been expressly authorized by you through a notarized power of attorney at the Company’s address in the City of Sofia, 7 Lyulin Residential Area, 28 Jawaharlal Nehru Blvd., ‘Silver Center’ Administrative and Business Center, 2nd Floor, Office No. 40-46. The notarized power of attorney by which a request for erasure is to be submitted should contain the following explicit power, ‘To represent me before Easy Payment Services Ltd., UIC, 204112059 having the right to submit on my behalf a request for exercising data protection rights’.
– executed as an electronic document signed with your electronic signature sent to office@easyps.bg;
– By post or courier service sent to the Company’s address in the City of Sofia, 7 Lyulin Residential Area, 28 Jawaharlal Nehru Blvd., ‘Silver Center’ Administrative and Business Center, 2nd Floor, Office No. 40-46;
– by calling at 0700 200 12 – in this case, the form for exercising your rights should be sent to the attention of Easy Payment Services Ltd. by any of the means specified above;
Within a period of up to one month following the receipt of the request, Easy Payment Services Ltd. will notify you of the actions taken in respect of your request.
The exercise of rights shall be free of charge and cover all structured and unstructured data, as well as all databases supported by the Company.
Exceptions to the time period intended for satisfying the rights and the free of charge basis are allowed in cases of requests made by the same customer of data with a frequency greater than 3 times a year and requiring the mobilization of a significant administrative resource on part of the Company. In this case, we may impose a reasonable fee with a view to the administrative costs incurred.
Where the data subject submits a request by electronic means, the information shall be provided, where possible, by electronic means, unless the data subject has not requested otherwise.
When the Company has reasonable concerns in relation to the identity of the natural person who makes a request for the exercise of their rights under this section, the directly responsible person shall immediately consult with the Data Protection Officer in view to the identification of the customer.
You should also consider that the withdrawal of granted consents does not affect the lawfulness of the processing of your personal data before such withdrawal. Despite the withdrawn consent, your personal data may be processed by the Company, if there are grounds for processing the data other than those referred to in Section 4.
You shall have the following rights:
11.1. Right to be informed
As a data subject, you shall have a right to obtain information on important features of the processing of your personal data, including, but not limited to its purpose, period and grounds, on the recipients and the categories of recipients of the personal data, etc.
In addition to the above information, you should consider that you are a subject of automated decision making, including profiling. This means that the data you provide shall be used for the purpose of creating an appropriate ‘profile’ for you and are intended to prevent fraud, diversify the Company products and select advertising, marketing and promotional materials that are suitable for you.
In accordance with the applicable personal data protection laws, you have the rights specified below, and we obliged to respond to each of your requests within 1 month of receipt of the request for no extra charge. In case of any difficulties for the timely fulfilment of such requests, the period may be extended by another 2 months, of which you will be notified within 1 month of receipt of the request.
11.2. Right of access
You may request information on what personal data concerning you we process, and whether we process such. You may request access to such data.
We will provide you with a statement of personal data that are being processed. For additional statements, we may adopt a reasonable fee on the basis of administrative costs. When you submit a request through electronic means, we will provide the information, where possible, in a widely used electronic form unless you have requested otherwise.
11.3. Right to rectification
If we process incomplete or incorrect personal data concerning you, you have the right to have such data rectified and completed at any time.
11.4. Right to erasure
You may request the erasure of your personal data in the following cases:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the processing is based and there are no other legitimate grounds for the processing;
- you consider that the personal data have been unlawfully processed.
Note that there may be other reasons that can thwart the immediate erasure of your data, such as statutory obligations for storage, pending proceedings, the establishment, exercise or defence of legal claims, etc.
11.5. Right to a restriction of processing
You have the right to obtain restriction of processing, if:
- you contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and, but you do not want the personal data to be erased and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims
- you have objected to processing pending the verification whether the legitimate grounds of Easy Payment Services for processing of the data override your grounds.
In the event of a request for restriction of processing, we will inform you prior to revoking the restriction of processing.
11.6. Right to data portability
You may request from us to provide you with the personal data concerning you that we process in a structured, commonly used and machine-readable format and which can be transmitted to another financial institution for example. This shall apply, provided that
- the processing of the particular data is based on your consent or is in relation to the conclusion and performance of a payment services contract; and
- the processing is carried out by automated means
11.7. Right to object
You have the right, at any time and on grounds relating to your particular situation, to object processing of your personal data, which is based on legitimate interest – the grounds are specified in the table above, including profiling based on such grounds.
When you have given your consent to the processing of data for the purposes of direct marketing, you have the right to object to personal data processing at any time without specifying grounds.
11.8. Right to lodge a complaint
Please contact us if you think that we have violated any applicable law on the protection of personal data in the processing of your data, and as a result, we have affected your rights. Surely, you also have the right to lodge a complaint with the Personal Data Protection Commission, which is a supervisory authority in respect of personal data protection, located at the following address: City of Sofia, 2 Prof. Tsvetan Lazarov Blvd., tel. 02/91-53-518, e-mail: kzld@cpdp.bg.
[1] ‘ the third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (Article 4, § 10 of the GDPR)