Privacy Policy

PERSONAL DATA PROCESSING BY FINSTRUMENT SP. Z O.O.

The information contained in this document concerns the processing by FINSTRUMENT SP. Z O.O. with its registered office in Warsaw at ul. Jozefa i Jana Rostafinskich, 4/2-5 (B), (02-593), POLSKA, (hereinafter: FINSTRUMENT or Payment Institution) of Clients' personal data in connection with agreements for the provision of payment services and additional services. The information provided is in accordance with the provisions of the European Union concerning the processing of personal data [Regulation of the European Parliament and of the Council (EU) 2016/679 - General Data Protection Regulation (hereinafter: GDPR)]. Regardless of the applicable legal provisions, processing personal data according to the highest standards, respecting and protecting the privacy of Clients are among the most important priorities for FINSTRUMENT Sp. z o.o.

Data Controller and Contact Details

The data controller is FINSTRUMENT Sp. z o.o.
Contact details for FINSTRUMENT: ceo@finstrument.pl
Contact details for the data protection officer: ceo@finstrument.pl

Purposes of Personal Data Processing

Personal data, including Clients' biometric data, are processed for the purposes of: proper performance of the agreement; fulfillment of legal obligations incumbent on the data controller and performance of tasks in the public interest (e.g., performing tasks related to security and defense, storing documentation for supervisory authorities); arising from legally justified interests pursued by the Payment Institution (e.g., direct marketing of own products, securing and pursuing claims, securing and protecting against claims from the Client or third parties); marketing purposes not arising from legally justified interests pursued by the Payment Institution (e.g., marketing services and products of third parties, own marketing that is not direct marketing).

Legal Basis for Personal Data Processing

The legal bases for data processing are:

1. Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 6 of this regulation establishing general principles of lawfulness of data processing;
2. Act of 10 May 2018 on the protection of personal data (consolidated text - Journal of Laws of 2019, item 1781);
3. Act of 19 August 2011 on payment services (consolidated text - Journal of Laws of 2020, item 794);
4. Act of 1 March 2018 on counteracting money laundering and financing of terrorism (consolidated text - Journal of Laws of 2020, item 971);
5. Consent - in situations where the Payment Institution is entitled and/or obliged to process personal data, including biometric data, on the basis of the explicit consent of the Client to whom the data relates, and this results from the cited legal acts.

Legitimate Interests

In the case of data processing based on Article 6(1)(f) of the General Data Protection Regulation (when processing is necessary for the purposes of legitimate interests pursued by the Payment Institution or by a third party), the Payment Institution informs that the legitimate interests pursued by the controller are: direct marketing of own products; securing and pursuing its claims, and securing and protecting against claims from the Client.

Data Recipients

In accordance with the definition of recipient included in the General Data Protection Regulation (GDPR), mentioned in Article 4(9), the Payment Institution informs the Client that their personal data during processing may be disclosed to the following categories of recipients: the Client and persons authorized by the Client; persons authorized by the Payment Institution employed in the Payment Institution or in companies belonging to the FINSTRUMENT capital group; entities processing data on behalf of and for the Payment Institution and authorized persons employed in these entities (e.g., marketing implementation by external companies, debt collection and claims pursuit based on services of external companies); third parties - in case of the Client's consent to data transfer (e.g., in case of data transfer for marketing purposes, in case of checking the Client's credibility by Credit Information Bureaus, in case of payment order execution) or in case of the Payment Institution exercising its rights; public authorities that may receive data in cases other than within specific proceedings conducted in accordance with European Union law or Polish law.

Data Processing in Third Countries

The Payment Institution does not transfer any personal data, including biometric data, to third countries (outside the European Economic Area) or international organizations. In the event that such an intention arises, the Payment Institution will make efforts to ensure that if it is necessary to transfer data to a third country or international organization, it is a country or organization for which the European Commission (in accordance with the General Data Protection Regulation) has established an adequate level of protection. In any other case, the Payment Institution will be able to transfer personal data to a third country or international organization only on condition of ensuring appropriate safeguards and on condition of enforceable rights of the persons to whom the data relates and effective legal remedies referred to in the General Data Protection Regulation, and taking into account providing the Client with information about the possibilities of obtaining a copy of data or the place of data disclosure.

Data Retention Periods

Personal data are stored:

• In case of collecting personal data, including biometric data for the purpose of concluding an Agreement (legal basis: Article 6(1)(b) GDPR): from the moment of collecting data before concluding the agreement for its conclusion, or from the moment of collecting this data during the conclusion of the Agreement, or from the moment of collecting this data during the term of the agreement (in case of supplementing or updating data during the term of the Agreement) until the termination of the agreement or performance of the agreement after its termination (e.g., consideration of complaints);
• In case of collecting personal data, including biometric data for the purpose of fulfilling obligations arising from legal provisions or in connection with the performance of tasks in the public interest (legal basis: Article 6(1)(c) and (e) GDPR) for the period of performance of obligations and tasks arising from individual legal provisions;
• In case of processing personal data, including biometric data for purposes arising from the legally justified interests of the Payment Institution (legal basis: Article 49 of the Act of 1 March 2018 on counteracting money laundering and financing of terrorism (Journal of Laws of 2020, item 971) and Article 75 of the Act of 11 August 2011 on payment services (Journal of Laws of 2020, item 794), as well as Article 6(1)(f) GDPR), data will be stored for no longer than six (6) years from the termination of the agreement or until a justified objection to processing for such purpose is filed;
• In case of collecting personal data, including biometric data based on consent (legal basis: Article 6(1)(a) or (f) GDPR): from the moment of expressing consent to the processing of data covered by it (also during the performance of the agreement) until the moment of fulfilling the request to withdraw this consent, in case of its withdrawal, or until the moment of noting an objection;
• Apart from the situations mentioned above, data may be stored during the period of limiting the processing of this data established at the Client's request, request of the supervisory authority - in situations provided for by GDPR in Articles 18 and 58.

At any time of processing personal data, including biometric data, the Payment Institution is guided by the principles of purpose limitation, data minimization, and limited processing periods.

Client Rights Related to Personal Data Processing

The Client has the right to request access to the content of their personal data, including biometric data, their rectification, deletion, restriction of processing. Additionally, the Client has the right to object to data processing and the right to data portability. The exercise of the rights mentioned in this paragraph is carried out in accordance with the provisions of the General Data Protection Regulation (GDPR) - based on definitions and mechanisms described in this regulation.

In the case where the Payment Institution processes personal data based on the Client's consent, the Client has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

The Client has the right to lodge a complaint with the supervisory authority on the principles set out by the General Data Protection Regulation (GDPR), in particular on the basis of Article 77 of this regulation. In Poland, the supervisory authority from 25 May 2018 is the Office for Personal Data Protection.

Data Categories. Requirement to Provide Data. Consequences of Failure to Provide Data.

The Payment Institution informs that providing the following data is a contractual requirement and at the same time a necessary condition for concluding the Agreement: first name, last name, type and number of identity document, PESEL, place of residence, correspondence address, facial image. Providing other data, such as: contact phone numbers, e-mail address is a contractual requirement. Providing all data is voluntary. The consequence of failure to provide data that is a necessary condition for concluding the agreement is the inability to effectively conclude an agreement with the Payment Institution. The consequence of failure to provide personal data, including biometric data, which is not a necessary condition for concluding the agreement is the inability to use this data for purposes related to its collection (i.e., for example, contacting the Client using this data for the purpose of performing the agreement, the possibility of presenting marketing offers).

Other Information/Statements

The Payment Institution informs the Client that for the purposes of charging fees for products and services, for the purposes of interbank settlements, as well as, on the principles set out in the applicable legal provisions, for the purposes of marketing services or providing payment services, all data are processed during the term of the agreement or consent, and after its termination during the period of pursuing claims, no later than until their expiry, or performing tasks or obligations provided for in the relevant legal provisions.

Final Information

The principles described in this document apply from 25 May 2018 - i.e., from the date of application of the provisions of the General Data Protection Regulation (GDPR). In formulating the above information, we were guided by the fact that it should be as specific and precise as possible (including consistent with strict concepts and definitions established by GDPR), and at the same time simple, clear, and understandable. In order to constantly ensure these and in connection with frequently changing legal provisions, we reserve the right to correct and improve the form and content of this information on an ongoing basis. We are aware that this material is extensive, therefore in case of any comments, questions, or doubts (in particular related to our processing of personal data, including biometric data for a specific purpose and specific situation), please contact the FINSTRUMENT data protection officer: ceo@finstrument.pl.

The full text of the General European Data Protection Regulation (GDPR) is available at: https://www.uodo.gov.pl/pl/404/224.